Suspicious Process Patterns NTDS.DIT Exfil

Severity: high
Author: Florian Roth (Nextron Systems)
Source: upstream

Detects suspicious process patterns used in NTDS.DIT exfiltration

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1003.003` OS Credential Dumping: NTDS

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation
Security-Auditing	4688	A new process has been created.

Stages and Predicates

Stage 1: `1 of selection_tool`

or:
CommandLine|contains: ntds.dit
CommandLine|contains: system.hiv
CommandLine|contains: NTDSgrab.ps1
Image|endswith: '\NTDSDump.exe'
Image|endswith: '\NTDSDumpEx.exe'

Stage 2: `1 of selection_oneliner_1`

CommandLine|contains: 'ac i ntds'
CommandLine|contains: 'create full'

Stage 3: `1 of selection_onliner_2`

CommandLine|contains: '/c copy '
CommandLine|contains: '\windows\ntds\ntds.dit'

Stage 4: `1 of selection_onliner_3`

CommandLine|contains: 'activate instance ntds'
CommandLine|contains: 'create full'

Stage 5: `1 of selection_powershell`

CommandLine|contains: ntds.dit
CommandLine|contains: powershell

Stage 6: `all of set1_selection_ntds_dit`

CommandLine|contains: ntds.dit

Stage 7: `all of set1_selection_image_folder`

or:
Image|contains: '\AppData\'
Image|contains: '\PerfLogs\'
Image|contains: '\Public\'
Image|contains: '\Temp\'
Image|contains: '\apache'
Image|contains: '\tomcat'
ParentImage|contains: '\AppData\'
ParentImage|contains: '\PerfLogs\'
ParentImage|contains: '\Public\'
ParentImage|contains: '\Temp\'
ParentImage|contains: '\apache'
ParentImage|contains: '\tomcat'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`/c copy` `NTDSgrab.ps1` `\windows\ntds\ntds.dit` corpus 2 (sigma 2) `ac i ntds` `activate instance ntds` `create full` `ntds.dit` `powershell` corpus 16 (sigma 16) `system.hiv`
`Image`	ends_with	`\NTDSDump.exe` `\NTDSDumpEx.exe`
`Image`	match	`\AppData\` corpus 9 (sigma 9) `\PerfLogs\` corpus 3 (sigma 3) `\Public\` corpus 2 (sigma 2) `\Temp\` corpus 5 (sigma 5) `\apache` `\tomcat`
`ParentImage`	match	`\AppData\` corpus 2 (sigma 2) `\PerfLogs\` corpus 2 (sigma 2) `\Public\` corpus 2 (sigma 2) `\Temp\` corpus 2 (sigma 2) `\apache` corpus 2 (sigma 2) `\tomcat` corpus 6 (sigma 6)

Suspicious Process Patterns NTDS.DIT Exfil

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: 1 of selection_tool

Stage 2: 1 of selection_oneliner_1

Stage 3: 1 of selection_onliner_2

Stage 4: 1 of selection_onliner_3

Stage 5: 1 of selection_powershell

Stage 6: all of set1_selection_ntds_dit

Stage 7: all of set1_selection_image_folder