Detects suspicious process patterns used in NTDS.DIT exfiltration
title: Suspicious Process Patterns NTDS.DIT Exfil
id: 8bc64091-6875-4881-aaf9-7bd25b5dda08
status: test
description: Detects suspicious process patterns used in NTDS.DIT exfiltration
references:
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
- https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
- https://pentestlab.blog/tag/ntds-dit/
- https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1
- https://github.com/zcgonvh/NTDSDumpEx
- https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1
- https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
author: Florian Roth (Nextron Systems)
date: 2022-03-11
modified: 2022-11-10
tags:
- attack.credential-access
- attack.t1003.003
logsource:
product: windows
category: process_creation
detection:
selection_tool:
# https://github.com/zcgonvh/NTDSDumpEx
- Image|endswith:
- '\NTDSDump.exe'
- '\NTDSDumpEx.exe'
- CommandLine|contains|all:
# ntdsdumpex.exe -d ntds.dit -o hash.txt -s system.hiv
- 'ntds.dit'
- 'system.hiv'
- CommandLine|contains: 'NTDSgrab.ps1'
selection_oneliner_1:
# powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
CommandLine|contains|all:
- 'ac i ntds'
- 'create full'
selection_onliner_2:
# cmd.exe /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
CommandLine|contains|all:
- '/c copy '
- '\windows\ntds\ntds.dit'
selection_onliner_3:
# ntdsutil "activate instance ntds" "ifm" "create full c:\windows\temp\data\" "quit" "quit"
CommandLine|contains|all:
- 'activate instance ntds'
- 'create full'
selection_powershell:
CommandLine|contains|all:
- 'powershell'
- 'ntds.dit'
set1_selection_ntds_dit:
CommandLine|contains: 'ntds.dit'
set1_selection_image_folder:
- ParentImage|contains:
- '\apache'
- '\tomcat'
- '\AppData\'
- '\Temp\'
- '\Public\'
- '\PerfLogs\'
- Image|contains:
- '\apache'
- '\tomcat'
- '\AppData\'
- '\Temp\'
- '\Public\'
- '\PerfLogs\'
condition: 1 of selection* or all of set1*
falsepositives:
- Unknown
level: high
imProcessCreate
| where (((TargetProcessName endswith "\\NTDSDump.exe" or TargetProcessName endswith "\\NTDSDumpEx.exe") or (TargetProcessCommandLine contains "ntds.dit" and TargetProcessCommandLine contains "system.hiv") or TargetProcessCommandLine contains "NTDSgrab.ps1") or (TargetProcessCommandLine contains "ac i ntds" and TargetProcessCommandLine contains "create full") or (TargetProcessCommandLine contains "/c copy " and TargetProcessCommandLine contains "\\windows\\ntds\\ntds.dit") or (TargetProcessCommandLine contains "activate instance ntds" and TargetProcessCommandLine contains "create full") or (TargetProcessCommandLine contains "powershell" and TargetProcessCommandLine contains "ntds.dit")) or (TargetProcessCommandLine contains "ntds.dit" and (((ParentProcessName contains "\\apache" or ParentProcessName contains "\\tomcat" or ParentProcessName contains "\\AppData\\" or ParentProcessName contains "\\Temp\\" or ParentProcessName contains "\\Public\\" or ParentProcessName contains "\\PerfLogs\\") or (ActingProcessName contains "\\apache" or ActingProcessName contains "\\tomcat" or ActingProcessName contains "\\AppData\\" or ActingProcessName contains "\\Temp\\" or ActingProcessName contains "\\Public\\" or ActingProcessName contains "\\PerfLogs\\")) or (TargetProcessName contains "\\apache" or TargetProcessName contains "\\tomcat" or TargetProcessName contains "\\AppData\\" or TargetProcessName contains "\\Temp\\" or TargetProcessName contains "\\Public\\" or TargetProcessName contains "\\PerfLogs\\")))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |