Install-From-Media Database Creation via Command Line
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
|---|---|---|---|---|
Install-From-Media Database Creation via Command Line | Standard | Active directory | Credential Access: OS Credential Dumping - NTDS (T1003.003) | Trouble |
About the rule
Rule Type
Standard
Rule Description
Detects creation of Active Directory Install From Media (IFM) data using command-line tools.
Why this rule?
Install-From-Media (IFM) database creation using ntdsutil.exe or dsdbutil.exe is a powerful Active Directory administrative function that exports the complete NTDS.dit database containing all domain user password hashes, Kerberos keys, group memberships, and domain trust relationships, making it an extremely attractive target for attackers seeking to compromise entire Windows domains through offline credential cracking, pass-the-hash attacks, or golden ticket creation.
Severity
Trouble
Rule journey
Attack chain scenario
Credential Access → IFM Database Creation → NTDS.dit Extraction → Credential Harvesting → Lateral Movement.
Impact
Attackers can extract Active Directory database containing password hashes and other sensitive information for offline cracking and lateral movement.
Rule Requirement
Prerequisites
Enable process creation monitoring (Event ID 1 or 4688) and monitor dsdbutil.exe and ntdsutil.exe execution.
Criteria
Action1: actionname = "Process started" AND (( PROCESSNAME endswith "dsdbutil.exe,ntdsutil.exe" OR ORIGINALFILENAME = "dsdbutil.exe,ntdsutil.exe" ) AND ( COMMANDLINE contains "i " OR COMMANDLINE contains "ifm " OR COMMANDLINE contains "c " OR COMMANDLINE contains "create" OR COMMANDLINE contains "ac " OR COMMANDLINE contains "act " OR COMMANDLINE contains "activate " )) select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.PARENTPROCESSCOMMANDLINE,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID,Action1.DOMAIN
Detection
Execution Mode
realtime
Log Sources
Active Directory
MITRE ATT&CK
Credential Access: OS Credential Dumping - NTDS (T1003.003)
Future actions
Known False Positives
Authorized Active Directory maintenance, domain controller rebuilds, or disaster recovery operations using IFM procedures.
Next Steps
- Identification: Identify the user and system executing the IFM database creation.
- Analysis: Determine if the IFM operation was authorized for legitimate AD maintenance or recovery.
- Response: Investigate potential NTDS.dit theft, rotate domain credentials if unauthorized access is confirmed.
Mitigation
ID | Mitigation | Description |
|---|---|---|
Ensure Domain Controller backups are properly secured.[2] | ||
Ensure that local administrator accounts have complex, unique passwords across all systems on the network. | ||
Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. | ||
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
