Query Details

Rule : NTDS.DIT File Creation or Copy Activity

NTDS File Create Modify

Query

DeviceFileEvents
| where FileName =~ "ntds.dit"
| where ActionType in ("FileCreated","FileCopied")

About this query

Explanation

This query is designed to detect suspicious activities involving the NTDS.dit file on Windows systems. The NTDS.dit file is crucial as it contains sensitive Active Directory data, including user credentials. Unauthorized creation or copying of this file is a red flag for potential security breaches, such as attempts to steal credentials or exfiltrate the Active Directory database.

Here's a simplified breakdown of the query and its purpose:

  • Purpose: To identify when the NTDS.dit file is created or copied, which could indicate malicious activity aimed at accessing sensitive credential data.
  • How it Works:
    • It monitors file events on devices, specifically looking for actions involving the NTDS.dit file.
    • It flags events where this file is either created or copied, as these actions are unusual and potentially harmful.
  • Why It's Important:
    • The NTDS.dit file should only be accessed by specific system processes or backup utilities. Any other access might suggest an attempt to steal credentials.
    • Detecting such actions can help prevent unauthorized access to sensitive data and protect against credential theft.
  • Tools and Techniques: Attackers might use tools like ntdsutil, esentutl, or abuse system features like shadow copies to access this file.

Overall, this query is a security measure to detect and alert on potential threats to the integrity and confidentiality of Active Directory data.

Details

Ali Hussein profile picture

Ali Hussein

Released: October 13, 2025

Tables

DeviceFileEvents

Keywords

DeviceFileEvents

Operators

=~in|where

MITRE Techniques

Actions

GitHub