rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml

title: Suspicious Get-ADDBAccount Usage
id: b140afd9-474b-4072-958e-2ebb435abd68
status: test
description: Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers
references:
    - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
    - https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md
author: Florian Roth (Nextron Systems)
date: 2022/03/16
tags:
    - attack.credential_access
    - attack.t1003.003
logsource:
    product: windows
    category: ps_module
    definition: 'Requirements: PowerShell Module Logging must be enabled'
detection:
    selection:
        Payload|contains|all:
            - 'Get-ADDBAccount'
            - 'BootKey '
            - 'DatabasePath '
    condition: selection
falsepositives:
    - Unknown
level: high
rule: remote thread creation, get-addbaccount 2022-03-16 15:21:01 +01:00			`title: Suspicious Get-ADDBAccount Usage`
			`id: b140afd9-474b-4072-958e-2ebb435abd68`
$frack113$ change status to test 2023-01-27 06:48:34 +01:00			`status: test`
$frack113$ Order yaml field 2022-10-26 09:43:39 +02:00			`description: Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers`
rule: remote thread creation, get-addbaccount 2022-03-16 15:21:01 +01:00			`references:`
			`- https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/`
			`- https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md`
chore: add nextron authors tag 2023-02-01 11:14:59 +01:00			`author: Florian Roth (Nextron Systems)`
$frack113$ Order yaml field 2022-10-26 09:43:39 +02:00			`date: 2022/03/16`
rule: remote thread creation, get-addbaccount 2022-03-16 15:21:01 +01:00			`tags:`
			`- attack.credential_access`
			`- attack.t1003.003`
			`logsource:`
			`product: windows`
			`category: ps_module`
feat: updates and enhancements 2023-01-04 17:49:32 +01:00			`definition: 'Requirements: PowerShell Module Logging must be enabled'`
rule: remote thread creation, get-addbaccount 2022-03-16 15:21:01 +01:00			`detection:`
			`selection:`
			`Payload\|contains\|all:`
			`- 'Get-ADDBAccount'`
			`- 'BootKey '`
			`- 'DatabasePath '`
			`condition: selection`
			`falsepositives:`
chore: test rules: capitalization on FP list entries 2022-05-09 13:37:43 +02:00			`- Unknown`
rule: remote thread creation, get-addbaccount 2022-03-16 15:21:01 +01:00			`level: high`