Detection rules › Sigma

NTDS.DIT Creation By Uncommon Process

Status
test
Severity
high
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory

MITRE ATT&CK coverage

Event coverage

ProviderEventTitle
SysmonEvent ID 11FileCreate

Rule body yaml

title: NTDS.DIT Creation By Uncommon Process
id: 11b1ed55-154d-4e82-8ad7-83739298f720
related:
    - id: 4e7050dd-e548-483f-b7d6-527ab4fa784d
      type: similar
status: test
description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory
references:
    - https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/
    - https://adsecurity.org/?p=2398
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-11
modified: 2022-07-14
tags:
    - attack.credential-access
    - attack.t1003.002
    - attack.t1003.003
logsource:
    product: windows
    category: file_event
detection:
    selection_ntds:
        TargetFilename|endswith: '\ntds.dit'
    selection_process_img:
        Image|endswith:
            # Add more suspicious processes as you see fit
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\wscript.exe'
            - '\wsl.exe'
            - '\wt.exe'
    selection_process_paths:
        Image|contains:
            - '\AppData\'
            - '\Temp\'
            - '\Public\'
            - '\PerfLogs\'
    condition: selection_ntds and 1 of selection_process_*
falsepositives:
    - Unknown
level: high

Stages and Predicates

Stage 0: condition

selection_ntds and 1 of selection_process_*

Stage 1: selection_ntds

selection_ntds:
    TargetFilename|endswith: '\ntds.dit'

Stage 2: selection_process_img

selection_process_img:
    Image|endswith:
        # Add more suspicious processes as you see fit
        - '\cmd.exe'
        - '\cscript.exe'
        - '\mshta.exe'
        - '\powershell.exe'
        - '\pwsh.exe'
        - '\regsvr32.exe'
        - '\rundll32.exe'
        - '\wscript.exe'
        - '\wsl.exe'
        - '\wt.exe'

Stage 3: selection_process_paths

selection_process_paths:
    Image|contains:
        - '\AppData\'
        - '\Temp\'
        - '\Public\'
        - '\PerfLogs\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \cmd.exe corpus 134 (sigma 134)
  • \cscript.exe corpus 76 (sigma 76)
  • \mshta.exe corpus 69 (sigma 69)
  • \powershell.exe corpus 186 (sigma 186)
  • \pwsh.exe corpus 172 (sigma 172)
  • \regsvr32.exe corpus 68 (sigma 68)
  • \rundll32.exe corpus 103 (sigma 103)
  • \wscript.exe corpus 78 (sigma 78)
  • \wsl.exe corpus 11 (sigma 11)
  • \wt.exe corpus 5 (sigma 5)
Imagematch
  • \AppData\ corpus 11 (sigma 11)
  • \PerfLogs\ corpus 5 (sigma 5)
  • \Public\ corpus 2 (sigma 2)
  • \Temp\ corpus 7 (sigma 7)
TargetFilenameends_with
  • \ntds.dit corpus 2 (sigma 2)