Detection rules › Sigma
NTDS.DIT Created
Detects creation of a file named "ntds.dit" (Active Directory Database)
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1003.003 OS Credential Dumping: NTDS |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 11 | FileCreate |
Rule body yaml
title: NTDS.DIT Created
id: 0b8baa3f-575c-46ee-8715-d6f28cc7d33c
status: test
description: Detects creation of a file named "ntds.dit" (Active Directory Database)
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
- attack.credential-access
- attack.t1003.003
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: 'ntds.dit'
condition: selection
falsepositives:
- Unknown
level: low
Stages and Predicates
Stage 0: condition
selectionStage 1: selection
selection:
TargetFilename|endswith: 'ntds.dit'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
TargetFilename | ends_with |
|