NTDS or SAM Database File Copied

This detection identifies attempts to copy the Active Directory Domain Database (ntds.dit) or the Security Account Manager (SAM) files on Windows systems. These files contain highly sensitive information, including hashed domain and local credentials, and their unauthorized duplication can lead to significant credential compromise. The detection focuses on identifying specific command-line operations associated with copying these files, including the use of utilities like cmd.exe, powershell.exe, xcopy.exe, and esentutl.exe. The rule is designed for data generated by Elastic Defend and also supports third-party data sources like CrowdStrike, Microsoft Defender XDR, and SentinelOne Cloud Funnel, making it broadly applicable for organizations using these security solutions. The detection is based on observed attacker behaviors documented in reports such as those detailing Pysa/Mespinoza ransomware and techniques used for credential access.

Attack Chain

1. Initial Access: An attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.
2. Privilege Escalation: The attacker elevates privileges to gain necessary access to protected system files, possibly using exploits or misconfigurations.
3. Volume Shadow Copy Creation (Optional): The attacker creates a Volume Shadow Copy (VSS) of the system drive to bypass file locking and access the NTDS.dit or SAM files without disrupting system operations. This may involve commands utilizing vssadmin.exe.
4. NTDS.dit or SAM File Copy: The attacker uses command-line tools like cmd.exe, powershell.exe, xcopy.exe, or esentutl.exe to copy the NTDS.dit or SAM files to a different location. Example commands include copy C:\\Windows\\NTDS\\ntds.dit C:\\temp\\ntds.dit or esentutl.exe /y /vss /d.
5. Staging: The copied files are staged in a temporary directory or network share accessible to the attacker.
6. Credential Extraction: The attacker uses tools like Mimikatz or other credential dumping utilities to extract plaintext passwords and hashes from the copied NTDS.dit or SAM files.
7. Lateral Movement/Domain Dominance: The attacker uses the extracted credentials to move laterally within the network, compromise additional systems, and potentially achieve domain dominance.
8. Exfiltration (Optional): The attacker may exfiltrate the copied NTDS.dit or SAM file for offline analysis or further exploitation.

Impact

A successful attack involving the copying of NTDS.dit or SAM files can lead to a complete compromise of an organization’s Active Directory domain and/or local system credentials. This allows attackers to move laterally through the network, access sensitive data, and disrupt business operations. The impact can range from data breaches and financial losses to reputational damage and regulatory fines. Incidents like the Pysa/Mespinoza ransomware attacks highlight the real-world consequences of this type of credential access.

Recommendation

• Deploy the Sigma rule NTDS or SAM Database File Copied to your SIEM to detect suspicious copy operations involving NTDS.dit or SAM files. Tune the rule based on your environment.
• Enable Sysmon process creation logging (Event ID 1) to ensure adequate coverage for the Sigma rules and investigation.
• Monitor process command lines for the execution of cmd.exe, powershell.exe, xcopy.exe, and esentutl.exe with arguments related to copying NTDS.dit or SAM files as described in the rule NTDS or SAM Database File Copied.
• Investigate and validate legitimate backup or disaster recovery processes, adding exceptions based on stable process.executable, process.code_signature.subject_name, process.parent.executable, bounded process.command_line source/destination, user.id, and host.id to minimize false positives.