detection.wiki

Detection rules › Sigma

NTDS.DIT Creation By Uncommon Parent Process

Severity
high
Author
Florian Roth (Nextron Systems)
Source
upstream

Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1003.003 OS Credential Dumping: NTDS

Event coverage

ProviderEvent IDTitle
Sysmon11FileCreate

Stages and Predicates

Stage 1: selection_file

TargetFilename|endswith: '\ntds.dit'

Stage 2: 1 of selection_process_parent

or:
ParentImage|endswith: '\cscript.exe'
ParentImage|endswith: '\httpd.exe'
ParentImage|endswith: '\nginx.exe'
ParentImage|endswith: '\php-cgi.exe'
ParentImage|endswith: '\powershell.exe'
ParentImage|endswith: '\pwsh.exe'
ParentImage|endswith: '\w3wp.exe'
ParentImage|endswith: '\wscript.exe'

Stage 3: 1 of selection_process_parent_path

or:
ParentImage|contains: '\AppData\'
ParentImage|contains: '\PerfLogs\'
ParentImage|contains: '\Public\'
ParentImage|contains: '\Temp\'
ParentImage|contains: '\apache'
ParentImage|contains: '\tomcat'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
ParentImageends_with
  • \cscript.exe corpus 14 (sigma 14)
  • \httpd.exe corpus 6 (sigma 6)
  • \nginx.exe corpus 6 (sigma 6)
  • \php-cgi.exe corpus 6 (sigma 6)
  • \powershell.exe corpus 16 (sigma 16)
  • \pwsh.exe corpus 16 (sigma 16)
  • \w3wp.exe corpus 8 (sigma 8)
  • \wscript.exe corpus 14 (sigma 14)
ParentImagematch
  • \AppData\ corpus 2 (sigma 2)
  • \PerfLogs\ corpus 2 (sigma 2)
  • \Public\ corpus 2 (sigma 2)
  • \Temp\ corpus 2 (sigma 2)
  • \apache corpus 2 (sigma 2)
  • \tomcat corpus 6 (sigma 6)
TargetFilenameends_with
  • \ntds.dit corpus 2 (sigma 2)