search

mitre-attack / car

Cyber Analytics Repository
Apache License 2.0
896 stars 313 forks source link

Dumping Active Directory via NTDSUtil #28

Closed ForensicITGuy closed 5 years ago

ForensicITGuy commented 5 years ago

Credential Dumping via Windows Task Manager

The NTDSUtil tool may be used to dump a Microsoft Active Directory database to disk for processing with a credential access tool such as Mimikatz. This is performed by launching ntdsutil.exe as a privileged user with command line arguments indicating that media should be created for offline Active Directory installation and specifying a folder path. This process will create a copy of the Active Directory database, ntds.dit, to the specified folder path.

This requires filesystem data to determine whether files have been created.

ATT&CK Coverage

Technique Level of Coverage
Credential Dumping Moderate

Analytic Code

The code for this analytic. CAR pseudocode is preferred, but any search syntax is fine. At least one type of code is required but more are encouraged (e.g. both pseudocode and a Splunk search).

Pseudocode

files = search File:Create
ntds_dump = filter files where (
    file_name = "ntds.dit"  and
    image_path = "*ntdsutil.exe")

Splunk, Sysmon native

index=__your_sysmon_index__ EventCode=11 TargetFilename="*ntds.dit" Image="*ntdsutil.exe"

EQL

file where file_name == "ntds.dit" and process_name == "ntdsutil.exe"

Test Cases

  1. Open a Windows Command Prompt or PowerShell instance as Administrator
  2. Execute ntdsutil.exe “ac i ntds” “ifm” “create full c:\temp” q q

Data Model Mappings

Elements from the CAR data model that are required for this analytic. This is required.

Object Action Field
file create file_name
file create image_path

Developer Certificate of Origin

DCO signed-off-by: Tony M Lambert tony.lambert@redcanary.com

ikiril01 commented 5 years ago

@ForensicITGuy thanks for this submission as well! Just to clarify, is the file name created by ntdsutil.exe also deterministic?

ForensicITGuy commented 5 years ago

Hey @ikiril01 that is correct. When specifying a location using ntdsutil.exe it will create a folder and the directory structure should be named ntds.dit. I haven't tested the possibility of ntds (1).dit, etc. but I've never seen someone assign it an arbitrary name from ntdsutil.exe.

ikiril01 commented 5 years ago

@ForensicITGuy sounds good - thanks for the heads up/clarification.

ikiril01 commented 5 years ago

Added in #34.