-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2019-08-002.yaml
62 lines (61 loc) · 2.3 KB
/
CAR-2019-08-002.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
---
title: Active Directory Dumping via NTDSUtil
submission_date: 2019/08/13
information_domain: 'Host'
platforms:
- Windows
subtypes:
- File
analytic_types:
- TTP
contributors:
- Tony Lambert/Red Canary
id: CAR-2019-08-002
description: |-
The NTDSUtil tool may be used to dump a Microsoft Active Directory database to disk for processing with a credential access tool such as Mimikatz. This is performed by launching `ntdsutil.exe` as a privileged user with command line arguments indicating that media should be created for offline Active Directory installation and specifying a folder path. This process will create a copy of the Active Directory database, `ntds.dit`, to the specified folder path.
This requires filesystem data to determine whether files have been created.
coverage:
- technique: T1003
tactics:
- TA0006
subtechniques:
- T1003.003
coverage: Low
implementations:
- name: NTDSUtil - File Create
description: This base pseudocode looks for file create events where a file with a name of ntds.dit is created by the ntdsutil process.
code: |-
files = search File:Create
ntds_dump = filter files where (
file_name = "ntds.dit" and
image_path = "*ntdsutil.exe")
output ntds_dump
type: Pseudocode
- name: NTDSUtil - File Create
description: A Splunk/Sysmon version of the above pseudocode.
code: |-
index=__your_sysmon_index__ EventCode=11 TargetFilename="*ntds.dit" Image="*ntdsutil.exe"
type: Splunk
data_model: Sysmon native
- name: NTDSUtil - File Create
description: An EQL version of the above pseudocode.
code: |-
file where file_name == "ntds.dit" and process_name == "ntdsutil.exe"
type: EQL
data_model: EQL native
- description: LogPoint version of the above pseudocode.
code: |-
norm_id=WindowsSysmon event_id=11 file="*ntds.dit" source_image="*ntdsutil.exe"
type: LogPoint
data_mode: LogPoint native
data_model_references:
- file/create/file_name
- file/create/image_path
unit_tests:
- description: |-
1. Open a Windows Command Prompt or PowerShell instance as Administrator
2. Execute `ntdsutil.exe “ac i ntds” “ifm” “create full c:\temp” q q`
d3fend_mappings:
- iri: d3f:ProcessSpawnAnalysis
id: D3-PSA
label: Process Spawn Analysis