attack.t1003.003

Create Volume Shadow Copy with Powershell
level
status experimental

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information

Suspicious Process Writes Ntds.dit
level
status experimental

Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file

Judgement Panda Credential Access Activity
level
status test

Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike

Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
level
status test

Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)

Transferring Files with Credential Data via Network Shares - Zeek
level
status test

Transferring files with well-known filenames (sensitive files with credential data) using network shares

Transferring Files with Credential Data via Network Shares
level
status test

Transferring files with well-known filenames (sensitive files with credential data) using network shares

Shadow Copies Creation Using Operating Systems Utilities
level
status test

Shadow Copies creation using operating systems utilities, possible credential access

Shadow Copies Access via Symlink
level
status test

Shadow Copies storage symbolic link creation using operating systems utilities

Possible Impacket SecretDump Remote Activity - Zeek
level
status test

Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml

Possible Impacket SecretDump Remote Activity
level
status experimental

Detect AD credential dumping using impacket secretdump HKTL

Esentutl Gather Credentials
level
status experimental

Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.

DIT Snapshot Viewer Use
level
status test

Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups.

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.