2017-03-16 23:23:55 +00:00
title : Activity Related to NTDS.dit Domain Hash Retrieval
status : experimental
description : Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely
2017-03-26 00:27:26 +00:00
author : Florian Roth, Michael Haag
2018-01-27 23:24:16 +00:00
references :
2017-03-16 23:25:54 +00:00
- https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
- https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
- https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/
2017-03-26 00:27:26 +00:00
- https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
2017-03-16 23:23:55 +00:00
logsource :
product : windows
service : sysmon
detection :
selection :
EventID : 1
CommandLine :
# Ransomware
- 'vssadmin.exe Delete Shadows'
# Hacking
- 'vssadmin create shadow /for=C:'
- 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit'
2017-03-16 23:25:54 +00:00
- 'copy \\?\GLOBALROOT\Device\*\config\SAM'
2017-03-16 23:23:55 +00:00
- 'vssadmin delete shadows /for=C:'
- 'reg SAVE HKLM\SYSTEM '
condition : selection
2017-09-12 21:54:04 +00:00
fields :
- CommandLine
- ParentCommandLine
2018-08-07 06:27:24 +00:00
tags :
- attack.credential_access
- attack.t1003
2017-03-16 23:23:55 +00:00
falsepositives :
- Administrative activity
level : high