security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/windows/process_creation/proc_creation_win_susp_ntdsutil.yml
T
Florian Roth b96d30acc7 docs: adjustments
2022-03-11 18:13:54 +01:00

23 lines
662 B
YAML
Raw Blame History

title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
id: 2afafd61-6aae-4df4-baed-139fa1f4c345
status: test
description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
author: Thomas Patzke
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
date: 2019/01/16
modified: 2022/03/11 # increased level
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\ntdsutil.exe'
condition: selection
falsepositives:
- NTDS maintenance
level: medium
tags:
- attack.credential_access
- attack.t1003.003
Reference in New Issue View Git Blame Copy Permalink