Windows PowerShell suspicious Get-ADDBAccount usage
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detects PowerShell commands using Get-ADDBAccount
with BootKey and DatabasePath parameters to extract Active Directory credential hashes directly from database files.
Strategy
This rule monitors PowerShell module logging through @Event.EventData.Data.Payload
for commands containing Get-ADDBAccount
along with BootKey
and DatabasePath
parameters. This specific DSInternals PowerShell module cmdlet provides functionality to access Active Directory databases directly.
Direct database credential extraction bypasses normal authentication channels and security controls, potentially compromising the entire domain’s credential database. This technique requires privileged access and is rarely used for legitimate administrative purposes.
Triage & Response
- Examine the complete PowerShell command on
{{host}}
including the targeted database path. - Validate authorization status for the account executing the command.
- Investigate the source and access path of the
NTDS.dit
file being accessed. - Check for evidence of credential hash data exfiltration activities.
- Look for additional domain controller compromise indicators.
- Initiate emergency password resets for all domain accounts.