Event ID 325 —

Provider: ESENT
Channel: Application
Level: Informational
Collection Priority: Recommended (ASD)

Fields #

Name	Description
`Data`	—

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 325,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T08:15:12.107010+00:00",
    "event_record_id": 106,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "DFSRs",
      "2684,D,35",
      "\\\\.\\C:\\System Volume Information\\DFSR\\database_3CDA_D04B_DAD0_2D6\\dfsr.db: ",
      "1",
      "\\\\.\\C:\\System Volume Information\\DFSR\\database_3CDA_D04B_DAD0_2D6\\dfsr.db",
      "0",
      "\n[1] 0.000092 +J(0) +M(C:0K, Fs:5, WS:20K # 0K, PF:8K # 0K, P:8K)\n[2] 0.002221 -0.000629 (1) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:5, WS:20K # 0K, PF:0K # 0K, P:0K)\n[3] 0.003757 -0.000003 (3) WT +J(0) +M(C:0K, Fs:11, WS:36K # 0K, PF:20K # 0K, P:20K)\n[4] 0.000245 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[5] 0.001400 -0.000570 (3) WT +J(CM:0, PgRf:3, Rd:0/0, Dy:3/6, Lg:122/4) +M(C:0K, Fs:44, WS:164K # 0K, PF:256K # 0K, P:256K)\n[6] 0.001827 -0.000245 (2) WT +J(CM:0, PgRf:209, Rd:0/0, Dy:12/408, Lg:24454/447) +M(C:0K, Fs:76, WS:304K # 0K, PF:224K # 0K, P:224K)\n[7] 0.000703 -0.000290 (3) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:4096/3) +M(C:0K, Fs:4, WS:8K # 0K, PF:0K # 0K, P:0K)\n[8] 0.000004 +J(0)\n[9] 0.001408 -0.000787 (3) WT +J(0) +M(C:-52K, Fs:8, WS:-28K # 0K, PF:-52K # 0K, P:-52K)\n[10] 0.002190 -0.000416 (6) WT +J(CM:0, PgRf:348, Rd:0/0, Dy:7/93, Lg:12509/130) +M(C:12K, Fs:46, WS:176K # 0K, PF:96K # 0K, P:96K)\n[11] 0.000004 +J(0).",
      "0 0",
      "lgposCreate = 00000001:0001:0268,\ndbv = 1568.180.400 (9360)"
    ]
  },
  "message": ""
}

Detection Patterns #

Credential Access: NTDS

ESENT Event ID 216OREvent ID 325OREvent ID 326OREvent ID 327

1 rule

Sigma

Ntdsutil Abuse (source)

Nasreddine Bencherchali (Nextron Systems)

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Dump Ntds.dit To Suspicious Location source medium: Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx