NTDS file referenced in command line

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1003-os-credential-dumping

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

What happened

The process {{ @process.executable.name }} referenced the NTDS.dit file in its command line arguments, potentially attempting to extract Active Directory data.

Goal

Detect references to NTDS.dit file in command line

Strategy

All data in Active Directory is stored within the file ntds.dit. Typically located on the domain controller, there are a variety of methods available for a threat actor to extract this file, with the most common being utilization of the ntdsutil command or extracting it from a shadow copy or backup of the domain controller. This detection looks to identify when process arguments are referencing the ntds.dit file, as it could be evidence of a threat actor attempting to exfiltrate the file.

Triage and response

  1. Identify what is being executed and if it is actually accessing the ntds.dit file.
  2. If it’s not authorized, isolate the host from the network.
  3. Follow your organization’s internal processes for investigating and remediating compromised systems.

Requires Agent version 7.50.0 or greater.