This artifact will extract evidence of Ntdsutil abuse from the application eventlog. The artifact targets the string “ntds.dit” in event IDs: 216, 325, 326 and 327.
name: Windows.Detection.Ntdsutil
author: Matt Green - @mgreen27
description: |
This artifact will extract evidence of Ntdsutil abuse from the application
eventlog. The artifact targets the string "ntds.dit" in event IDs: 216, 325,
326 and 327.
reference:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Ntdsutil/
parameters:
- name: TargetGlob
default: '%SystemRoot%\System32\Winevt\Logs\Application.evtx'
- name: VSSAnalysisAge
type: int
default: 0
description: |
If larger than zero we analyze VSS within this many days
ago. (e.g 7 will analyze all VSS within the last week). Note
that when using VSS analysis we have to use the ntfs accessor
for everything which will be much slower.
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
SELECT EventTime,
Computer,Channel,EventID,EventRecordID,Message,EventData,FullPath
FROM Artifact.Windows.EventLogs.EvtxHunter(
EvtxGlob=TargetGlob,
IdRegex='^(216|325|326|327)$',
IocRegex='ntds\.dit',
VSSAnalysisAge=VSSAnalysisAge)