Query Details

NTDS Dit File Modifications

Query

// Author: Alex Teixeira ([email protected])
search in(DeviceFileEvents) "ntds" and "dit" and ActionType:"FileModified"
| where Timestamp > ago(90d)
| summarize Device_Count=dcount(DeviceId), Device_Sample=take_any(DeviceName), File_Count=dcount(FolderPath), File_Sample=take_any(FolderPath), Last_Seen=max(Timestamp) by InitiatingProcessParentFileName, InitiatingProcessFolderPath, InitiatingProcessAccountName
| sort by Device_Count desc, File_Count desc

About this query

Explanation

This query is designed to detect modifications to the NTDS.DIT file, which is a critical component of Microsoft's Active Directory. The NTDS.DIT file contains sensitive information, including user credentials, and unauthorized modifications to this file could indicate malicious activity, such as credential dumping.

Here's a simple breakdown of what the query does:

  1. Search Scope: The query looks for file events related to the NTDS.DIT file within the last 90 days. It specifically searches for events where the file has been modified.

  2. Data Collection: It collects data from devices where these modifications have occurred, including:

    • The number of unique devices involved (Device_Count).
    • A sample device name (Device_Sample).
    • The number of unique file paths involved (File_Count).
    • A sample file path (File_Sample).
    • The most recent timestamp of such an event (Last_Seen).
  3. Grouping and Sorting: The results are grouped by the process that initiated the modification, including:

    • The name of the parent process (InitiatingProcessParentFileName).
    • The folder path of the initiating process (InitiatingProcessFolderPath).
    • The account name under which the process ran (InitiatingProcessAccountName).
  4. Output: The results are sorted by the number of devices and file paths involved, in descending order, to prioritize the most widespread or frequent modifications.

This query helps identify potential security threats by highlighting unusual or unauthorized modifications to the NTDS.DIT file, which could be indicative of an attack on the Active Directory infrastructure.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceFileEvents

Keywords

DevicesFilesProcessesActiveDirectoryDomainController

Operators

searchinandwheresummarizedcounttake_anymaxbysortdescago

MITRE Techniques

Actions

GitHub