KQL Search

Query Details

HomeAI ToolsDevice Query

NTDS File Create Modify

Query

# Rule : NTDS.DIT File Creation or Copy Activity

## Description
This detection identifies instances where the **NTDS.dit** file — the Active Directory database file containing credential and identity data — is **created or copied** on a Windows system.  
Such activity is highly suspicious, as attackers often attempt to copy or extract this file to obtain password hashes and authentication data from a domain controller.  

Legitimate access to `NTDS.dit` is typically restricted to the **Active Directory process (LSASS)** and backup utilities running under **SYSTEM context**. Therefore, detection of file creation or copy events targeting this file outside expected system paths may indicate credential theft or **Active Directory database exfiltration** attempts.

- Reference: [MITRE ATT&CK – T1003.003: OS Credential Dumping: NTDS](https://attack.mitre.org/techniques/T1003/003/)

## Detection Logic
- Monitors **DeviceFileEvents** for actions related to `ntds.dit`.
- Flags when a file named `ntds.dit` is **created** or **copied**.
- Common sources of this behavior in attacks include:
  - Use of tools such as **ntdsutil**, **esentutl**, or **copy** commands.
  - Shadow copy or Volume Snapshot Service (VSS) abuse to access the file.

## Tags
- MITRE ATT&CK: T1003.003 (OS Credential Dumping: NTDS)
- Category: Credential Access  
- Platform: Windows  
- Data Source: DeviceFileEvents  
- Severity: High  

## Search Query
```kql
DeviceFileEvents
| where FileName =~ "ntds.dit"
| where ActionType in ("FileCreated","FileCopied")

Explanation

This query is designed to detect suspicious activities involving the NTDS.dit file on Windows systems. The NTDS.dit file is crucial as it contains sensitive Active Directory data, including user credentials. Unauthorized creation or copying of this file is a red flag for potential security breaches, such as attempts to steal credentials or exfiltrate the Active Directory database.

Here's a simplified breakdown of the query and its purpose:

  • Purpose: To identify when the NTDS.dit file is created or copied, which could indicate malicious activity aimed at accessing sensitive credential data.
  • How it Works:
    • It monitors file events on devices, specifically looking for actions involving the NTDS.dit file.
    • It flags events where this file is either created or copied, as these actions are unusual and potentially harmful.
  • Why It's Important:
    • The NTDS.dit file should only be accessed by specific system processes or backup utilities. Any other access might suggest an attempt to steal credentials.
    • Detecting such actions can help prevent unauthorized access to sensitive data and protect against credential theft.
  • Tools and Techniques: Attackers might use tools like ntdsutil, esentutl, or abuse system features like shadow copies to access this file.

Overall, this query is a security measure to detect and alert on potential threats to the integrity and confidentiality of Active Directory data.

Details

Ali Hussein profile picture

Ali Hussein

Released: October 13, 2025

Tables

DeviceFileEvents

Keywords

DeviceFileEvents

Operators

=~in|where

Actions