forked from SigmaHQ/sigma
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathwin_dumping_ntdsdit_via_netsync.yml
30 lines (30 loc) · 1.15 KB
/
win_dumping_ntdsdit_via_netsync.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
title: Dumping ntds.dit remotely via NetSync
id: 757b2a11-73e7-411a-bd46-141d906e0167
description: ntds.dit retrieving (only computer accounts) using synchronisation with legit domain controller using Netlogon Remote Protocol
author: Teymur Kheirkhabarov, oscd.community
date: 2019/11/01
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
tags:
- attack.credential_access
- attack.t1003
logsource:
product: windows
service: security
detection:
selection1:
EventID: 4624
ComputerName: '%DomainControllersNamesList%'
selection2:
IpAddress: '%DomainControllersIpsList%'
selection3:
EventID: 5145
ComputerName: '%DomainControllersNamesList%'
ShareName|contains: '\IPC$'
SubjectLogonId: '%SuspiciousTargetLogonIdList%'
RelativeTargetName: 'netlogon'
condition: write TargetLogonId from selection1 (if not selection2) to list %SuspiciousTargetLogonIdList%; then if selection3 -> alert
falsepositives:
- Legitimate administrator adding new domain controller to already existing domain
level: medium
status: unsupported