Query Details
NTDS Dump
Query
Tags:
Query:
DeviceFileEvents
| where (InitiatingProcessFileName has_any ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE") and InitiatingProcessCommandLine has_any("copy", "xcopy", "Copy-Item", "move", "cp", "mv")) or InitiatingProcessFileName contains "esentutl.exe"
| where InitiatingProcessCommandLine has_any("ntds.dit", "SAM", "HarddiskVolumeShadowCopy", "system32/config/SAM")
| where InitiatingProcessParentFileName != @"SenseIR.exe"
Explanation
This query is searching for events related to device files. It filters the events based on certain conditions. The first condition checks if the initiating process file name is either "Cmd.Exe", "PowerShell.EXE", or "XCOPY.EXE", and if the initiating process command line contains any of the keywords "copy", "xcopy", "Copy-Item", "move", "cp", or "mv". Alternatively, if the initiating process file name contains "esentutl.exe", it also matches the condition.
The second condition checks if the initiating process command line contains any of the keywords "ntds.dit", "SAM", "HarddiskVolumeShadowCopy", or "system32/config/SAM".
The third condition excludes events where the initiating process parent file name is "SenseIR.exe".
Details
Ali Hussein
Released: September 24, 2023
Tables
Keywords
Operators