rules: NTDS.DIT exfiltration

rules/windows/file_event/file_event_win_ntds_dit.yml

@@ -0,0 +1,45 @@
+title: Suspicious NTDS.DIT Creation
+id: 4e7050dd-e548-483f-b7d6-527ab4fa784d
+description: Detects suspicious creations of a file named ntds.dit, e.g. by a PowerShell parent or in a suspicious directory or a suspicious one liner
+status: experimental
+author: Florian Roth
+references:
+    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration 
+    - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
+    - https://pentestlab.blog/tag/ntds-dit/
+    - https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1
+date: 2022/03/11
+tags:
+    - attack.credential_access
+    - attack.t1003.003
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection_file:
+        TargetFilename|endswith: '\ntds.dit'
+    selection_process:
+        - ParentImage|endswith: 
+            - '\powershell.exe'
+            - '\wscript.exe'
+            - '\cscript.exe'
+            - '\w3wp.exe'
+            - '\php-cgi.exe'
+            - '\nginx.exe'
+            - '\httpd.exe'
+        - ParentImage|contains:
+            - '\apache'
+            - '\tomcat'
+            - '\AppData\'
+            - '\Temp\'
+            - '\Public\'
+            - '\PerfLogs\'
+        - Image|contains:
+            - '\AppData\'
+            - '\Temp\'
+            - '\Public\'
+            - '\PerfLogs\'
+    condition: selection_file and 1 of selection_process*
+falsepositives:
+    - Unknown
+level: high

rules/windows/file_event/file_event_win_ntds_exfil_tools.yml

@@ -0,0 +1,25 @@
+title: Suspicious NTDS Exfil Filename Patterns
+id: 3a8da4e0-36c1-40d2-8b29-b3e890d5172a
+description: Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration
+status: experimental
+author: Florian Roth
+references:
+    - https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/ntds_grabber.rb
+    - https://github.com/rapid7/metasploit-framework/blob/master/data/post/powershell/NTDSgrab.ps1
+    - https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405
+date: 2022/03/11
+tags:
+    - attack.credential_access
+    - attack.t1003.003
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection_file:
+        TargetFilename|endswith: 
+            - '\All.cab' # https://github.com/rapid7/metasploit-framework/blob/master/data/post/powershell/NTDSgrab.ps
+            - '.ntds.cleartext' # https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405
+    condition: selection_file
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_susp_ntds.yml

@@ -0,0 +1,66 @@
+title: Suspicious Process Patterns NTDS.DIT Exfil
+id: 8bc64091-6875-4881-aaf9-7bd25b5dda08
+description: Detects suspicious process patterns used in NTDS.DIT exfiltration
+status: experimental
+author: Florian Roth
+references:
+    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration 
+    - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
+    - https://pentestlab.blog/tag/ntds-dit/
+    - https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1
+    - https://github.com/zcgonvh/NTDSDumpEx
+    - https://github.com/rapid7/metasploit-framework/blob/master/data/post/powershell/NTDSgrab.ps1
+date: 2022/03/11
+tags:
+    - attack.credential_access
+    - attack.t1003.003
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_tool:
+        # https://github.com/zcgonvh/NTDSDumpEx
+        - Image|endswith: 
+            - '\NTDSDump.exe'
+            - '\NTDSDumpEx.exe'
+        - CommandLine|contains|all:
+            # ntdsdumpex.exe -d ntds.dit -o hash.txt -s system.hiv
+            - 'ntds.dit'
+            - 'system.hiv'
+        - CommandLine|contains:
+            - 'NTDSgrab.ps1'
+    selection_oneliner_1:
+        # powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
+        - CommandLine|contains|all:
+            - 'ac i ntds'
+            - 'create full'
+    selection_onliner_2:
+        # cmd.exe /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
+        - CommandLine|contains|all:
+            - '/c copy '
+            - '\windows\ntds\ntds.dit'
+    selection_powershell:
+        CommandLine|contains|all:
+            - 'powershell'
+            - 'ntds.dit'
+    set1_selection_ntds_dit:
+        CommandLine|contains: 'ntds.dit'
+    set1_selection_image_folder:
+        - ParentImage|contains:
+            - '\apache'
+            - '\tomcat'
+            - '\AppData\'
+            - '\Temp\'
+            - '\Public\'
+            - '\PerfLogs\'
+        - Image|contains:
+            - '\apache'
+            - '\tomcat'
+            - '\AppData\'
+            - '\Temp\'
+            - '\Public\'
+            - '\PerfLogs\'
+    condition: 1 of selection* or all of set1*
+falsepositives:
+    - Unknown
+level: high