← Library
sigmaDRL-1.1from SigmaHQ/sigma

Suspicious Get-ADDBAccount Usage

Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1003.003
Rule sourcerules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml
title: Suspicious Get-ADDBAccount Usage
id: b140afd9-474b-4072-958e-2ebb435abd68
status: test
description: Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers
references:
    - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
    - https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md
author: Florian Roth (Nextron Systems)
date: 2022-03-16
tags:
    - attack.credential-access
    - attack.t1003.003
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection:
        Payload|contains|all:
            - 'Get-ADDBAccount'
            - 'BootKey '
            - 'DatabasePath '
    condition: selection
falsepositives:
    - Unknown
level: high