Suspicious Get-ADDBAccount Usage

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects suspicious use of the Get-ADDBAccount script to read from ntds.dit, which may allow access to credentials without using traditional dumping tools.

Severity

Attention

Rule Requirement

Criteria

Action1: actionname = "PowerShell Script Block Logged" AND (SCRIPTEXECUTED contains "Get-ADDBAccount" AND SCRIPTEXECUTED contains "BootKey" AND SCRIPTEXECUTED contains "DatabasePath") select Action1.HOSTNAME,Action1.MESSAGE,Action1.SCRIPTEXECUTED,Action1.DOMAIN,Action1.PATH,Action1.USERNAME

Detection

Execution Mode

realtime

Log Sources

Windows

Author

@Florian Roth (Nextron Systems)