main/Windows Chainsaw/sigma rules/proc_creation_win_susp_ntds.yml

title: Suspicious Process Patterns NTDS.DIT Exfil
id: 8bc64091-6875-4881-aaf9-7bd25b5dda08
description: Detects suspicious process patterns used in NTDS.DIT exfiltration
status: experimental
author: Florian Roth
references:
    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration 
    - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
    - https://pentestlab.blog/tag/ntds-dit/
    - https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1
    - https://github.com/zcgonvh/NTDSDumpEx
    - https://github.com/rapid7/metasploit-framework/blob/master/data/post/powershell/NTDSgrab.ps1
date: 2022/03/11
tags:
    - attack.credential_access
    - attack.t1003.003
logsource:
    product: windows
    category: process_creation
detection:
    selection_tool:
        # https://github.com/zcgonvh/NTDSDumpEx
        - Image|endswith: 
            - '\NTDSDump.exe'
            - '\NTDSDumpEx.exe'
        - CommandLine|contains|all:
            # ntdsdumpex.exe -d ntds.dit -o hash.txt -s system.hiv
            - 'ntds.dit'
            - 'system.hiv'
        - CommandLine|contains: 'NTDSgrab.ps1'
    selection_oneliner_1:
        # powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
        CommandLine|contains|all:
            - 'ac i ntds'
            - 'create full'
    selection_onliner_2:
        # cmd.exe /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
        CommandLine|contains|all:
            - '/c copy '
            - '\windows\ntds\ntds.dit'
    selection_powershell:
        CommandLine|contains|all:
            - 'powershell'
            - 'ntds.dit'
    set1_selection_ntds_dit:
        CommandLine|contains: 'ntds.dit'
    set1_selection_image_folder:
        - ParentImage|contains:
            - '\apache'
            - '\tomcat'
            - '\AppData\'
            - '\Temp\'
            - '\Public\'
            - '\PerfLogs\'
        - Image|contains:
            - '\apache'
            - '\tomcat'
            - '\AppData\'
            - '\Temp\'
            - '\Public\'
            - '\PerfLogs\'
    condition: 1 of selection* or all of set1*
falsepositives:
    - Unknown
level: high