Detectionmediumtest
Dump Ntds.dit To Suspicious Location
Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Sun Aug 14Updated Mon Oct 2394dc4390-6b7c-4784-8ffc-335334404650windows
Log Source
Windowsapplication
ProductWindows← raw: windows
Serviceapplication← raw: application
Detection Logic
Detection Logic2 selectors
detection:
selection_root:
Provider_Name: 'ESENT'
EventID: 325 # New Database Created
Data|contains: 'ntds.dit'
selection_paths:
Data|contains:
# Add more locations that you don't use in your env or that are just suspicious
- ':\ntds.dit'
- '\Appdata\'
- '\Desktop\'
- '\Downloads\'
- '\Perflogs\'
- '\Temp\'
- '\Users\Public\'
condition: all of selection_*False Positives
Legitimate backup operation/creating shadow copies
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
94dc4390-6b7c-4784-8ffc-335334404650
Status
test
Level
medium
Type
Detection
Created
Sun Aug 14
Modified
Mon Oct 23
Path
rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml
Raw Tags
attack.execution