Techniques
Sample rules
Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
- source: sigma
- technicques:
- t1003
- t1003.003
Description
Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
Detection logic
condition: selection
selection:
Image|endswith: \ntdsutil.exe