{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ntds/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["credential-access","windows","ntds","sam","credential-theft"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies attempts to copy the Active Directory Domain Database (ntds.dit) or the Security Account Manager (SAM) files on Windows systems. These files contain highly sensitive information, including hashed domain and local credentials, and their unauthorized duplication can lead to significant credential compromise. The detection focuses on identifying specific command-line operations associated with copying these files, including the use of utilities like \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003excopy.exe\u003c/code\u003e, and \u003ccode\u003eesentutl.exe\u003c/code\u003e. The rule is designed for data generated by Elastic Defend and also supports third-party data sources like CrowdStrike, Microsoft Defender XDR, and SentinelOne Cloud Funnel, making it broadly applicable for organizations using these security solutions. The detection is based on observed attacker behaviors documented in reports such as those detailing Pysa/Mespinoza ransomware and techniques used for credential access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to a Windows system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker elevates privileges to gain necessary access to protected system files, possibly using exploits or misconfigurations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVolume Shadow Copy Creation (Optional):\u003c/strong\u003e The attacker creates a Volume Shadow Copy (VSS) of the system drive to bypass file locking and access the NTDS.dit or SAM files without disrupting system operations. This may involve commands utilizing \u003ccode\u003evssadmin.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNTDS.dit or SAM File Copy:\u003c/strong\u003e The attacker uses command-line tools like \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003excopy.exe\u003c/code\u003e, or \u003ccode\u003eesentutl.exe\u003c/code\u003e to copy the NTDS.dit or SAM files to a different location.  Example commands include \u003ccode\u003ecopy C:\\\\Windows\\\\NTDS\\\\ntds.dit C:\\\\temp\\\\ntds.dit\u003c/code\u003e or \u003ccode\u003eesentutl.exe /y /vss /d\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStaging:\u003c/strong\u003e The copied files are staged in a temporary directory or network share accessible to the attacker.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Extraction:\u003c/strong\u003e The attacker uses tools like Mimikatz or other credential dumping utilities to extract plaintext passwords and hashes from the copied NTDS.dit or SAM files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Domain Dominance:\u003c/strong\u003e  The attacker uses the extracted credentials to move laterally within the network, compromise additional systems, and potentially achieve domain dominance.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration (Optional):\u003c/strong\u003e The attacker may exfiltrate the copied NTDS.dit or SAM file for offline analysis or further exploitation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack involving the copying of NTDS.dit or SAM files can lead to a complete compromise of an organization\u0026rsquo;s Active Directory domain and/or local system credentials. This allows attackers to move laterally through the network, access sensitive data, and disrupt business operations. The impact can range from data breaches and financial losses to reputational damage and regulatory fines. Incidents like the Pysa/Mespinoza ransomware attacks highlight the real-world consequences of this type of credential access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eNTDS or SAM Database File Copied\u003c/code\u003e to your SIEM to detect suspicious copy operations involving NTDS.dit or SAM files. Tune the rule based on your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to ensure adequate coverage for the Sigma rules and investigation.\u003c/li\u003e\n\u003cli\u003eMonitor process command lines for the execution of \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003excopy.exe\u003c/code\u003e, and \u003ccode\u003eesentutl.exe\u003c/code\u003e with arguments related to copying NTDS.dit or SAM files as described in the rule \u003ccode\u003eNTDS or SAM Database File Copied\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate and validate legitimate backup or disaster recovery processes, adding exceptions based on stable \u003ccode\u003eprocess.executable\u003c/code\u003e, \u003ccode\u003eprocess.code_signature.subject_name\u003c/code\u003e, \u003ccode\u003eprocess.parent.executable\u003c/code\u003e, bounded \u003ccode\u003eprocess.command_line\u003c/code\u003e source/destination, \u003ccode\u003euser.id\u003c/code\u003e, and \u003ccode\u003ehost.id\u003c/code\u003e to minimize false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-01T12:00:00Z","date_published":"2024-01-01T12:00:00Z","id":"/briefs/2024-01-01-ntds-sam-copy/","summary":"Detects copy operations of Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files, potentially exposing sensitive hashed credentials on Windows systems.","title":"NTDS or SAM Database File Copied","url":"https://feed.craftedsignal.io/briefs/2024-01-01-ntds-sam-copy/"}],"language":"en","title":"CraftedSignal Threat Feed — Ntds","version":"https://jsonfeed.org/version/1.1"}