NTDS file referenced in command line

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1003-os-credential-dumping

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect references to NTDS.dit file in command line

Strategy

All data in Active Directory is stored within the file ntds.dit. Typically located on the domain controller, there are a variety of methods available for a threat actor to extract this file, with the most common being utilization of the ntdsutil command or extracting it from a shadow copy or backup of the domain controller. This detection looks to identify when process arguments are referencing the ntds.dit file, as it could be evidence of a threat actor attempting to exfiltrate the file.

Triage and response

  1. Identify what is being executed and if it is actually accessing the ntds.dit file.
  2. If it’s not authorized, isolate the host from the network.
  3. Follow your organization’s internal processes for investigating and remediating compromised systems.

Requires Agent version 7.50.0 or greater.

This rule is a part of the beta for detections on Windows! If you would like to try the new Windows agent, create a support ticket and indicate that you wish to join the Cloud Security Management - Windows beta.