Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1003-os-credential-dumping

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects PowerShell commands using Get-ADDBAccount with BootKey and DatabasePath parameters to extract Active Directory credential hashes directly from database files.

Strategy

This rule monitors PowerShell module logging through @Event.EventData.Data.Payload for commands containing Get-ADDBAccount along with BootKey and DatabasePath parameters. This specific DSInternals PowerShell module cmdlet provides functionality to access Active Directory databases directly.

Direct database credential extraction bypasses normal authentication channels and security controls, potentially compromising the entire domain’s credential database. This technique requires privileged access and is rarely used for legitimate administrative purposes.

Triage & Response

• Examine the complete PowerShell command on {{host}} including the targeted database path.
• Validate authorization status for the account executing the command.
• Investigate the source and access path of the NTDS.dit file being accessed.
• Check for evidence of credential hash data exfiltration activities.
• Look for additional domain controller compromise indicators.
• Initiate emergency password resets for all domain accounts.