--- action: global title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) status: experimental references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm author: Thomas Patzke detection: selection: CommandLine: '*\ntdsutil.exe *' condition: selection falsepositives: - NTDS maintenance level: high --- logsource: product: windows service: sysmon detection: selection: EventID: 1 --- logsource: product: windows service: security description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' detection: selection: EventID: 4688