Detectionmediumtest

Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)

Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Thomas PatzkeCreated Wed Jan 16Updated Fri Mar 112afafd61-6aae-4df4-baed-139fa1f4c345windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith: '\ntdsutil.exe'
    condition: selection

False Positives

NTDS maintenance

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

2afafd61-6aae-4df4-baed-139fa1f4c345

Status

test

Level

medium

Type

Detection

Created

Wed Jan 16

Modified

Fri Mar 11

Author

Path

rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml

Raw Tags

attack.credential-accessattack.t1003.003