Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
Sponsored by
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file
Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
Transferring files with well-known filenames (sensitive files with credential data) using network shares
Transferring files with well-known filenames (sensitive files with credential data) using network shares
Shadow Copies creation using operating systems utilities, possible credential access
Shadow Copies storage symbolic link creation using operating systems utilities
Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml
Detect AD credential dumping using impacket secretdump HKTL
Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups.