EXPLORE
Sign In
← Back to Explore
sigmahighHunting

NTDS Exfiltration Filename Patterns

Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.

MITRE ATT&CK

T1003.003
credential-access

Detection Query

selection:
  TargetFilename|endswith:
    - \All.cab
    - .ntds.cleartext
condition: selection

Author

Florian Roth (Nextron Systems)

Created

2022-03-11

Data Sources

windowsFile Events

Platforms

windows

References

Tags

attack.credential-accessattack.t1003.003
Raw Content
title: NTDS Exfiltration Filename Patterns
id: 3a8da4e0-36c1-40d2-8b29-b3e890d5172a
status: test
description: Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.
references:
    - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb
    - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1
    - https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405
author: Florian Roth (Nextron Systems)
date: 2022-03-11
modified: 2023-05-05
tags:
    - attack.credential-access
    - attack.t1003.003
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith:
            - '\All.cab' # https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1
            - '.ntds.cleartext' # https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405
    condition: selection
falsepositives:
    - Unknown
level: high