Techniques
Sample rules
Ntdsutil Abuse
- source: sigma
- technicques:
- t1003
- t1003.003
Description
Detects potential abuse of ntdsutil to dump ntds.dit database
Detection logic
condition: selection
selection:
Data|contains: ntds.dit
EventID:
- 216
- 325
- 326
- 327
Provider_Name: ESENT
Dump Ntds.dit To Suspicious Location
- source: sigma
- technicques:
Description
Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location
Detection logic
condition: all of selection_*
selection_paths:
Data|contains:
- :\ntds.dit
- \Appdata\
- \Desktop\
- \Downloads\
- \Perflogs\
- \Temp\
- \Users\Public\
selection_root:
Data|contains: ntds.dit
EventID: 325
Provider_Name: ESENT