Find sigma rule

Attack: OS Credential Dumping: NTDS

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.(Citation: Wikipedia Active Directory)

In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)

The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.

Volume Shadow Copy
secretsdump.py
Using the in-built Windows tool, ntdsutil.exe
Invoke-NinjaCopy

MITRE

Tactic

credential-access

technique

T1003.003

Test : Create Volume Shadow Copy remotely (WMI) with esentutl

OS

windows

Description:

This test is intended to be run from a remote workstation with domain admin context. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl.

Executor

command_prompt

Sigma Rule

proc_creation_win_esentutl_sensitive_file_copy.yml (id: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f)
proc_creation_win_wmic_process_creation.yml (id: 526be59f-a573-4eea-b5f7-f0973207634d)
proc_creation_win_wmiprvse_spawning_process.yml (id: d21374ff-f574-44a7-9998-4a8c8bf33d7d)
image_load_dll_vss_ps_susp_load.yml (id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test