NTDS or SAM Database File Copied
Detects copy operations of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files using command-line tools, potentially leading to credential access.
This detection identifies potential credential access attempts by monitoring copy operations of sensitive Windows files: the Active Directory Domain Database (ntds.dit) and the Security Account Manager (SAM). These files contain hashed domain and local credentials. The rule focuses on detecting command-line tools such as Cmd.Exe, PowerShell.EXE, XCOPY.EXE, and esentutl.exe when used to copy these sensitive files. This activity often indicates an attacker attempting to dump credentials for lateral movement or privilege escalation within a compromised environment. The rule is based on detection logic from Elastic Security. The targeted files and tools are consistent across various attack scenarios, making this a valuable detection for defenders.
Attack Chain
- Attacker gains initial access to a Windows host (e.g., via phishing or exploitation).
- The attacker executes a command shell such as
cmd.exeorpowershell.exe. - The attacker leverages volume shadow copy service to create a shadow copy of the system drive.
- The attacker uses
esentutl.exewith the/yand/vssparameters to copy thentds.ditfile from the shadow copy to a local directory. - Alternatively, the attacker uses
xcopy.exe,copy,move,cpormvto copy thentds.ditorSAMfiles. - The attacker may compress the copied database file for easier transfer.
- The attacker exfiltrates the copied
ntds.ditorSAMfile from the target host. - The attacker uses tools like
secretsdump.pyto extract credentials from the offline database.
Impact
Successful exfiltration of the ntds.dit or SAM files allows attackers to obtain domain or local credentials, leading to lateral movement, privilege escalation, and potentially domain compromise. This could result in data breaches, ransomware deployment, or other significant operational disruptions. The severity is high due to the sensitive nature of the data and the potential for widespread impact. The DFIR Report has documented this technique being used in Pysa/Mespinoza ransomware attacks.
Recommendation
- Deploy the Sigma rule "NTDS or SAM Database File Copied" to your SIEM to detect potential credential access attempts (see rules section).
- Enable Windows Security Event Logging and Sysmon to capture the necessary process creation and command-line data (Data Source: Windows Security Event Logs, Sysmon).
- Investigate and remediate any alerts generated by this rule immediately, following the provided investigation guide (Resources: Investigation Guide).
- Monitor file access events to detect unauthorized access attempts to
ntds.ditandSAMfiles (Data Source: Elastic Defend). - Implement strict access control policies to limit access to sensitive files like
ntds.ditandSAM(Mitigation).
Detection coverage 2
NTDS or SAM Database File Copied - CommandLine
highDetects copy operations of NTDS or SAM database files via command line.
NTDS or SAM Database File Copied - esentutl.exe
highDetects NTDS or SAM database file copy using esentutl.exe.
Detection queries are available on the platform. Get full rules →