mirror of
https://github.com/valitydev/atomic-threat-coverage.git
synced 2024-11-07 01:55:21 +00:00
35 lines
1.3 KiB
YAML
Executable File
35 lines
1.3 KiB
YAML
Executable File
title: Activity Related to NTDS.dit Domain Hash Retrieval
|
|
status: experimental
|
|
description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely
|
|
author: Florian Roth, Michael Haag
|
|
references:
|
|
- https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
|
|
- https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
|
|
- https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/
|
|
- https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
|
|
logsource:
|
|
product: windows
|
|
service: sysmon
|
|
detection:
|
|
selection:
|
|
EventID: 1
|
|
CommandLine:
|
|
# Ransomware
|
|
- 'vssadmin.exe Delete Shadows'
|
|
# Hacking
|
|
- 'vssadmin create shadow /for=C:'
|
|
- 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit'
|
|
- 'copy \\?\GLOBALROOT\Device\*\config\SAM'
|
|
- 'vssadmin delete shadows /for=C:'
|
|
- 'reg SAVE HKLM\SYSTEM '
|
|
condition: selection
|
|
fields:
|
|
- CommandLine
|
|
- ParentCommandLine
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1003
|
|
falsepositives:
|
|
- Administrative activity
|
|
level: high
|