Windows.Detection.Ntdsutil

This artifact will extract evidence of Ntdsutil abuse from the application eventlog. The artifact targets the string “ntds.dit” in event IDs: 216, 325, 326 and 327.

name: Windows.Detection.Ntdsutil
author: Matt Green - @mgreen27
description: |
   This artifact will extract evidence of Ntdsutil abuse from the application 
   eventlog. The artifact targets the string "ntds.dit" in event IDs: 216, 325,
   326 and 327.
   
reference:
  - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Ntdsutil/

parameters:
   - name: TargetGlob
     default: '%SystemRoot%\System32\Winevt\Logs\Application.evtx'
   - name: TargetVSS
     type: bool

sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'

    query: |
      SELECT EventTime,
        Computer,Channel,EventID,EventRecordID,Message,EventData,FullPath
      FROM Artifact.Windows.EventLogs.EvtxHunter(
        EvtxGlob=TargetGlob,
        IdRegex='^(216|325|326|327)$',
        IocRegex='ntds\.dit',
        SearchVSS=TargetVSS)