2019-01-16 22:36:31 +00:00
title : Activity Related to NTDS.dit Domain Hash Retrieval
status : experimental
description : Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely
2019-05-17 12:19:03 +00:00
author : Florian Roth, Michael Haag, Alec Costello
2019-01-16 22:36:31 +00:00
references :
2019-03-01 23:14:20 +00:00
- https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
- https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
- https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/
- https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
- https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
2019-02-25 23:24:46 +00:00
tags :
2019-03-01 23:14:20 +00:00
- attack.credential_access
- attack.t1003
2019-01-16 22:36:31 +00:00
logsource :
2019-03-01 23:14:20 +00:00
category : process_creation
product : windows
2019-01-16 22:36:31 +00:00
detection :
2019-03-01 23:14:20 +00:00
selection :
CommandLine :
- vssadmin.exe Delete Shadows
- 'vssadmin create shadow /for=C:'
- copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit
- copy \\?\GLOBALROOT\Device\\*\config\SAM
- 'vssadmin delete shadows /for=C:'
- 'reg SAVE HKLM\SYSTEM '
- esentutl.exe /y /vss *\ntds.dit*
2019-05-17 12:18:01 +00:00
- esentutl.exe /y /vss *\SAM
- esentutl.exe /y /vss *\SYSTEM
2019-03-01 23:14:20 +00:00
condition : selection
2019-01-16 22:36:31 +00:00
fields :
2019-03-01 23:14:20 +00:00
- CommandLine
- ParentCommandLine
2019-01-16 22:36:31 +00:00
falsepositives :
2019-03-01 23:14:20 +00:00
- Administrative activity
2019-01-16 22:36:31 +00:00
level : high