Windows PowerShell suspicious Get-ADDBAccount usage
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects PowerShell commands using Get-ADDBAccount with BootKey and DatabasePath parameters to extract Active Directory credential hashes directly from database files.
Strategy
This rule monitors PowerShell module logging through @Event.EventData.Data.Payload for commands containing Get-ADDBAccount along with BootKey and DatabasePath parameters. This specific DSInternals PowerShell module cmdlet provides functionality to access Active Directory databases directly.
Direct database credential extraction bypasses normal authentication channels and security controls, potentially compromising the entire domain’s credential database. This technique requires privileged access and is rarely used for legitimate administrative purposes.
Triage & Response
- Examine the complete PowerShell command on
{{host}} including the targeted database path. - Validate authorization status for the account executing the command.
- Investigate the source and access path of the
NTDS.dit file being accessed. - Check for evidence of credential hash data exfiltration activities.
- Look for additional domain controller compromise indicators.
- Initiate emergency password resets for all domain accounts.
