NTDS file referenced in command line

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1003-os-credential-dumping

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

What happened

The process {{ @process.executable.name }} referenced the NTDS.dit file in its command line arguments, potentially attempting to extract Active Directory data.

Goal

Detect references to NTDS.dit file in command line

Strategy

All data in Active Directory is stored within the file ntds.dit. Typically located on the domain controller, there are a variety of methods available for a threat actor to extract this file, with the most common being utilization of the ntdsutil command or extracting it from a shadow copy or backup of the domain controller. This detection looks to identify when process arguments are referencing the ntds.dit file, as it could be evidence of a threat actor attempting to exfiltrate the file.

Triage and response

  1. Identify what is being executed and if it is actually accessing the ntds.dit file.
  2. If it’s not authorized, isolate the host from the network.
  3. Follow your organization’s internal processes for investigating and remediating compromised systems.

Requires Agent version 7.50.0 or greater.