Skip to content

T1003.003 OS Credential Dumping NTDS

T1003.003 OS Credential Dumping: NTDS

DESCRIPTION

Detects suspicious executed commands to create a copy or restore a snapshot of the ntds.dit file using Living Of the Land BINaries (LOLBIN).

Example:

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q" ntdsutil "activate instance ntds" "ifm" "create full c:\windows\temp\data" "quit" "quit" wmic process call create "ntdsutil "ac i ntds" ifm "create full C:\Windows\Temp\pro wmic process call create "cmd.exe /c ntdsutil "ac i ntds" ifm "create full C:\Windows\Temp\Pro" wmic process call create "cmd.exe /c mkdir C:\Windows\Temp\tmp & ntdsutil "ac i ntds" ifm ntdsutil snapshot "mount c2b3e2c6-1ffb-4625-ba8e-3503c27a9fcb" quit quit

Related

LOLBINs, Volt Typhoon activity

Reference

https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/identifying-and-mitigating-living-off-the-land-techniques
https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection
https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
https://github.com/SigmaHQ/sigma/blob/49adcf9a00247ed6c3daacba03b589470f6716d0/rules/windows/process_creation/proc_creation_win_susp_ntds.yml
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments

ATT&CK TACTICS

T1003.003 - OS Credential Dumping: NTDS

Data Source(s): Command, Process

SENTINEL RULE QUERY

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
let selection_main = dynamic(['wmic.exe','powershell.exe','cmd.exe','ntdsutil.exe']);
let selection_command = dynamic([' create', ' ntds']);
let selection_cli_1 = dynamic(['snapshot', 'mount ']);
union isfuzzy=true
(DeviceProcessEvents 
| where FolderPath has_any(selection_main) or ProcessVersionInfoOriginalFileName has_any(selection_main)
| where ProcessCommandLine has_all (selection_command) or ProcessCommandLine has_all (selection_cli_1)
),
(SecurityEvent 
| where EventID == 4688
| where Process has_any(selection_main) 
| where CommandLine has_all (selection_command) or CommandLine has_all (selection_cli_1)
)

Triage

  1. Inspect if the activity was expected and approved

False Positive

1
2
- Legitimate usage to restore snapshots
- Legitimate admin activity

Version

Version 1.0 (date 19/03/2024)