Rule : NTDS.DIT File Creation or Copy Activity
NTDS File Create Modify
Query
DeviceFileEvents
| where FileName =~ "ntds.dit"
| where ActionType in ("FileCreated","FileCopied")About this query
Explanation
This query is designed to detect suspicious activities involving the NTDS.dit file on Windows systems. The NTDS.dit file is crucial as it contains sensitive Active Directory data, including user credentials. Unauthorized creation or copying of this file is a red flag for potential security breaches, such as attempts to steal credentials or exfiltrate the Active Directory database.
Here's a simplified breakdown of the query and its purpose:
- Purpose: To identify when the NTDS.dit file is created or copied, which could indicate malicious activity aimed at accessing sensitive credential data.
- How it Works:
- It monitors file events on devices, specifically looking for actions involving the NTDS.dit file.
- It flags events where this file is either created or copied, as these actions are unusual and potentially harmful.
- Why It's Important:
- The NTDS.dit file should only be accessed by specific system processes or backup utilities. Any other access might suggest an attempt to steal credentials.
- Detecting such actions can help prevent unauthorized access to sensitive data and protect against credential theft.
- Tools and Techniques: Attackers might use tools like
ntdsutil,esentutl, or abuse system features like shadow copies to access this file.
Overall, this query is a security measure to detect and alert on potential threats to the integrity and confidentiality of Active Directory data.
