Windows PowerShell suspicious Get-ADDBAccount usage

This rule is part of a beta feature. To learn more, contact Support.
windows

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1003-os-credential-dumping

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects PowerShell commands using Get-ADDBAccount with BootKey and DatabasePath parameters to extract Active Directory credential hashes directly from database files.

Strategy

This rule monitors PowerShell module logging through @Event.EventData.Data.Payload for commands containing Get-ADDBAccount along with BootKey and DatabasePath parameters. This specific DSInternals PowerShell module cmdlet provides functionality to access Active Directory databases directly.

Direct database credential extraction bypasses normal authentication channels and security controls, potentially compromising the entire domain’s credential database. This technique requires privileged access and is rarely used for legitimate administrative purposes.

Triage & Response

  • Examine the complete PowerShell command on {{host}} including the targeted database path.
  • Validate authorization status for the account executing the command.
  • Investigate the source and access path of the NTDS.dit file being accessed.
  • Check for evidence of credential hash data exfiltration activities.
  • Look for additional domain controller compromise indicators.
  • Initiate emergency password resets for all domain accounts.