KQL Search

Query Details

HomeAI ToolsDevice Query

RULE 12 AD VSS NTDS Dump Attempt

Query

// =========================================================
// RULE-12 | AD-VSS-NTDS-Dump-Attempt
// Description : NTDS.dit extraction via VSS or direct tooling.
//               Detects Event 4688 CommandLine patterns for:
//               - vssadmin create shadow (VSS snapshot of C:)
//               - ntdsutil (IFM media / snapshot)
//               - diskshadow (scripted VSS)
//               - esentutl /p or /y against ntds.dit / SYSTEM
//               - secretsdump / impacket targeting DC
//               Once an attacker has NTDS.dit + SYSTEM hive
//               they can extract every domain hash offline.
// Severity    : Critical (any match on a DC)
//               High     (match on non-DC — staging/extraction)
// Frequency   : Every 15 minutes, look-back 15 minutes
// MITRE       : T1003.003 — NTDS
// Tables      : SecurityEvent, DeviceProcessEvents (optional)
// =========================================================

let LookBack = 15m;

let NTDSPatterns = dynamic([
    "vssadmin", "create shadow",
    "ntdsutil", "activate instance ntds",
    "ifm", "diskshadow",
    "esentutl",
    "ntds.dit", "ntds\\ntds.dit",
    "copy .*ntds", "robocopy.*ntds",
    "secretsdump", "impacket",
    "reg save.*SYSTEM", "reg save.*SAM",
    "reg save.*SECURITY"
]);

// Known DCs (from 3-day TGT history)
let KnownDCNames = SecurityEvent
    | where TimeGenerated > ago(3d)
    | where EventID == 4768
    | summarize by DC = toupper(Computer);

// SecurityEvent 4688 detection
let SE_NTDSDump = SecurityEvent
    | where TimeGenerated > ago(LookBack)
    | where EventID == 4688
    | where isnotempty(CommandLine)
    | where CommandLine has_any (NTDSPatterns)
    | extend
        Source      = "SecurityEvent_4688",
        Actor       = SubjectUserName,
        ActorDomain = SubjectDomainName,
        Process     = NewProcessName,
        CmdLine     = CommandLine,
        Host        = Computer,
        IsOnDC      = (toupper(Computer) in~ (KnownDCNames));

// MDE DeviceProcessEvents
let MDE_NTDSDump = DeviceProcessEvents
    | where TimeGenerated > ago(LookBack)
    | where ProcessCommandLine has_any (NTDSPatterns)
        or FileName in~ ("vssadmin.exe", "ntdsutil.exe",
                          "diskshadow.exe", "esentutl.exe")
    | extend
        Source      = "MDE_DeviceProcessEvents",
        Actor       = InitiatingProcessAccountName,
        ActorDomain = InitiatingProcessAccountDomain,
        Process     = FileName,
        CmdLine     = ProcessCommandLine,
        Host        = DeviceName,
        IsOnDC      = false;  // MDE join to DC could be added

union SE_NTDSDump, MDE_NTDSDump
| extend
    Technique = case(
        CmdLine has "vssadmin",       "VSS_Shadow_Create",
        CmdLine has "ntdsutil",       "NTDSUtil_IFM",
        CmdLine has "diskshadow",     "DiskShadow_VSS",
        CmdLine has "esentutl",       "Esentutl_DB_Offline_Copy",
        CmdLine has "secretsdump",    "Impacket_secretsdump",
        CmdLine has "reg save",       "Registry_Hive_Backup",
        "Generic_NTDS_Access"
    )
| extend
    Severity = case(IsOnDC, "Critical", "High"),
    WhySuspicious = strcat(
        "NTDS_Dump_Technique: ", Technique, "; ",
        "Actor: ", Actor, "; ",
        iff(IsOnDC, "Executed_On_DC; ", "NonDC_Host; "),
        "CmdLine: ", CmdLine
    )
| project
    TimeGenerated,
    Severity,
    WhySuspicious,
    Actor,
    ActorDomain,
    Process,
    Technique,
    CmdLine,
    Host,
    IsOnDC,
    Source
| order by Severity asc, TimeGenerated desc

Explanation

This query is designed to detect attempts to extract the NTDS.dit file, which contains sensitive Active Directory data, from a system. Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to identify suspicious activities related to NTDS.dit extraction using various tools and methods. This is a critical security concern because if an attacker obtains the NTDS.dit file and the SYSTEM hive, they can extract all domain hashes offline.

  2. Detection Patterns: The query looks for specific command line patterns associated with tools and commands that might be used to create Volume Shadow Copies (VSS) or directly access NTDS.dit. These include:

    • vssadmin create shadow
    • ntdsutil
    • diskshadow
    • esentutl
    • secretsdump or impacket targeting domain controllers (DCs)

  3. Data Sources: The query checks two main data sources:

    • SecurityEvent: Specifically, Event ID 4688, which logs process creation events.
    • DeviceProcessEvents: Logs from Microsoft Defender for Endpoint (MDE) that track process events.

  4. Known Domain Controllers: It identifies known domain controllers by analyzing Event ID 4768 (Kerberos TGT requests) over the past three days.

  5. Severity Levels: The query assigns a severity level to each detected activity:

    • Critical: If the activity occurs on a domain controller.
    • High: If the activity occurs on a non-domain controller.

  6. Output: The results include details such as:

    • Time of the event
    • Severity level
    • Why the activity is suspicious
    • Actor (user) involved
    • Command line used
    • Host where the activity occurred
    • Whether the host is a domain controller
    • Source of the detection (SecurityEvent or MDE)

  7. Frequency: The query runs every 15 minutes and looks back over the past 15 minutes to catch recent activities.

Overall, this query is a security measure to monitor and alert on potential unauthorized attempts to access or extract sensitive Active Directory data.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

SecurityEventDeviceProcessEvents

Keywords

SecurityEventDeviceProcessEventsComputerCommandLineProcessCommandLineFileNameDeviceNameSubjectUserNameSubjectDomainNameInitiatingProcessAccountNameInitiatingProcessAccountDomain

Operators

letdynamicagosummarizebytoupperwhereisnotemptyhas_anyextendin~orunioncasestrcatiffprojectorder bydescasc

Actions