Closed ForensicITGuy closed 5 years ago
@ForensicITGuy thanks for this submission as well! Just to clarify, is the file name created by ntdsutil.exe
also deterministic?
Hey @ikiril01 that is correct. When specifying a location using ntdsutil.exe
it will create a folder and the directory structure should be named ntds.dit
. I haven't tested the possibility of ntds (1).dit
, etc. but I've never seen someone assign it an arbitrary name from ntdsutil.exe
.
@ForensicITGuy sounds good - thanks for the heads up/clarification.
Added in #34.
Credential Dumping via Windows Task Manager
The NTDSUtil tool may be used to dump a Microsoft Active Directory database to disk for processing with a credential access tool such as Mimikatz. This is performed by launching
ntdsutil.exe
as a privileged user with command line arguments indicating that media should be created for offline Active Directory installation and specifying a folder path. This process will create a copy of the Active Directory database,ntds.dit
, to the specified folder path.This requires filesystem data to determine whether files have been created.
ATT&CK Coverage
Analytic Code
The code for this analytic. CAR pseudocode is preferred, but any search syntax is fine. At least one type of code is required but more are encouraged (e.g. both pseudocode and a Splunk search).
Pseudocode
Splunk, Sysmon native
EQL
Test Cases
ntdsutil.exe “ac i ntds” “ifm” “create full c:\temp” q q
Data Model Mappings
Elements from the CAR data model that are required for this analytic. This is required.
Developer Certificate of Origin
DCO signed-off-by: Tony M Lambert tony.lambert@redcanary.com