mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 18:23:52 +00:00
924e1feb54
* Added UUIDs to all contributed rules * Moved unsupported logic directory out of rules/ because this breaks CI testing.
35 lines
1.4 KiB
YAML
35 lines
1.4 KiB
YAML
title: Dumping ntds.dit remotely via DCSync
|
|
id: 51238c62-2b29-4539-ad75-e94575368a12
|
|
description: ntds.dit retrieving using synchronisation with legitimate domain controller using Directory Replication Service Remote Protocol
|
|
author: Teymur Kheirkhabarov, oscd.community
|
|
date: 2019/10/24
|
|
modified: 2019/11/13
|
|
references:
|
|
- https://twitter.com/gentilkiwi/status/1003236624925413376
|
|
- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
|
|
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1003
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
detection:
|
|
selection1:
|
|
EventID: 4624
|
|
ComputerName: '%DomainControllersNamesList%'
|
|
selection2:
|
|
IpAddress: '%DomainControllersIpsList%'
|
|
selection3:
|
|
EventID: 4662
|
|
ComputerName: '%DomainControllersNamesList%'
|
|
SubjectLogonId: '%SuspiciousTargetLogonIdList%'
|
|
Properties|contains:
|
|
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
|
|
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
|
|
condition: write TargetLogonId from selection1 (if not selection2) to list %SuspiciousTargetLogonIdList%; then if selection3 -> alert
|
|
falsepositives:
|
|
- Legitimate administrator adding new domain controller to already existing domain
|
|
level: medium
|
|
status: experimental
|