Detectionmediumtest

Ntdsutil Abuse

Detects potential abuse of ntdsutil to dump ntds.dit database

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Sun Aug 14e6e88853-5f20-4c4a-8d26-cd469fd8d31fwindows

Log Source

Windowsapplication

ProductWindows← raw: windows

Serviceapplication← raw: application

Detection Logic

detection:
    selection:
        Provider_Name: 'ESENT'
        EventID:
            - 216
            - 325
            - 326
            - 327
        Data|contains: 'ntds.dit'
    condition: selection

False Positives

Legitimate backup operation/creating shadow copies

References

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Sub-techniques

T1003.003 · NTDS

Rule Metadata

Rule ID

e6e88853-5f20-4c4a-8d26-cd469fd8d31f

Status

test

Level

medium

Type

Detection

Created

Sun Aug 14

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml

Raw Tags

attack.credential-accessattack.t1003.003

View on GitHub