NTDS file referenced in command line

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

What happened

The process {{ @process.executable.name }} referenced the NTDS.dit file in its command line arguments, potentially attempting to extract Active Directory data.

Goal

Detect references to NTDS.dit file in command line

Strategy

All data in Active Directory is stored within the file ntds.dit. Typically located on the domain controller, there are a variety of methods available for a threat actor to extract this file, with the most common being utilization of the ntdsutil command or extracting it from a shadow copy or backup of the domain controller. This detection looks to identify when process arguments are referencing the ntds.dit file, as it could be evidence of a threat actor attempting to exfiltrate the file.

Triage and response

  1. Identify what is being executed and if it is actually accessing the ntds.dit file.
  2. If it’s not authorized, isolate the host from the network.
  3. Follow your organization’s internal processes for investigating and remediating compromised systems.

Requires Agent version 7.50.0 or greater.