NTDS Dit File Modifications
Query
// Author: Alex Teixeira ([email protected])
search in(DeviceFileEvents) "ntds" and "dit" and ActionType:"FileModified"
| where Timestamp > ago(90d)
| summarize Device_Count=dcount(DeviceId), Device_Sample=take_any(DeviceName), File_Count=dcount(FolderPath), File_Sample=take_any(FolderPath), Last_Seen=max(Timestamp) by InitiatingProcessParentFileName, InitiatingProcessFolderPath, InitiatingProcessAccountName
| sort by Device_Count desc, File_Count descAbout this query
Explanation
This query is designed to detect modifications to the NTDS.DIT file, which is a critical component of Microsoft's Active Directory. The NTDS.DIT file contains sensitive information, including user credentials, and unauthorized modifications to this file could indicate malicious activity, such as credential dumping.
Here's a simple breakdown of what the query does:
-
Search Scope: The query looks for file events related to the NTDS.DIT file within the last 90 days. It specifically searches for events where the file has been modified.
-
Data Collection: It collects data from devices where these modifications have occurred, including:
- The number of unique devices involved (
Device_Count). - A sample device name (
Device_Sample). - The number of unique file paths involved (
File_Count). - A sample file path (
File_Sample). - The most recent timestamp of such an event (
Last_Seen).
- The number of unique devices involved (
-
Grouping and Sorting: The results are grouped by the process that initiated the modification, including:
- The name of the parent process (
InitiatingProcessParentFileName). - The folder path of the initiating process (
InitiatingProcessFolderPath). - The account name under which the process ran (
InitiatingProcessAccountName).
- The name of the parent process (
-
Output: The results are sorted by the number of devices and file paths involved, in descending order, to prioritize the most widespread or frequent modifications.
This query helps identify potential security threats by highlighting unusual or unauthorized modifications to the NTDS.DIT file, which could be indicative of an attack on the Active Directory infrastructure.
