Detects credential dumping attempts targeting the NTDS.dit database by monitoring shadow copy creation, suspicious file access to %SystemRoot%\NTDS\ntds.dit, and the use of tooling like ntdsutil.exe or volume management APIs.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| File Modification (DC0061) | WinEventLog:Sysmon | EventCode=2 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Volume Creation (DC0097) | WinEventLog:Microsoft-Windows-VSS | Volume Shadow Copy Creation |
| Field | Description |
|---|---|
| TargetFilePath | Tunable for NTDS file location or backup paths if organization uses custom domain controller storage structure. |
| ParentProcessName | Can suppress backup-related parent processes to reduce false positives. |
| TimeWindow | Temporal correlation between shadow copy creation and NTDS file access (e.g., 5 min window). |
| UserContext | Tune based on expected privileged user/service account behavior. |