Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

NTDS.DIT Created

Detects creation of a file named "ntds.dit" (Active Directory Database)

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Fri May 050b8baa3f-575c-46ee-8715-d6f28cc7d33cwindows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        TargetFilename|endswith: 'ntds.dit'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
Internal Research
MITRE ATT&CK

Sub-techniques

T1003.003 · NTDS
Rule Metadata
Rule ID
0b8baa3f-575c-46ee-8715-d6f28cc7d33c
Status
test
Level
low
Type
Detection
Created
Fri May 05
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml
Raw Tags
attack.credential-accessattack.t1003.003
View on GitHub