Skip to content

T1003.003 Creation of Ntds.dit to Suspicious Location in Server

T1003.003 - Creation of Ntds.dit to Suspicious Location in Server

DESCRIPTION

Detects creation of a file named "ntds.dit" (Active Directory Database) to suspicious location in server

Example:

Output of ntdsutil “ac i ntds” “ifm” “create full c:\temp” q q

LOLBins
Credential Access

Reference:

https://github.com/SigmaHQ/sigma/blob/583f08ecaca532c7bff6e56e73c2e25c5b184796/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml
https://github.com/SigmaHQ/sigma/blob/583f08ecaca532c7bff6e56e73c2e25c5b184796/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
https://adsecurity.org/?p=2398

ATT&CK TACTICS

T1003.003 - OS Credential Dumping: NTDS

Data Source(s): File

SENTINEL RULE QUERY

1
2
3
4
5
let selection_paths = dynamic([@':\ntds.dit', @'\Appdata\', @'\Desktop\', @'\Downloads\', @'\Perflogs\', @'\Temp\', @'\Users\Public\']);
DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath endswith @"\ntds.dit" and FolderPath has_any (selection_paths)
| where InitiatingProcessFileName <> "TiWorker.exe" //exclude Windows Modules Installer

Triage

  1. Verify the FolderPath, User account, and time of activities, whether it's expected

FalsePositive

  • Pentesting
  • Legitimate admin activities

VERSION

Version 1.0 (date: 15/03/2024)