Suspicious Get-ADDBAccount Usage
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects suspicious use of the Get-ADDBAccount script to read from ntds.dit, which may allow access to credentials without using traditional dumping tools.
Severity
Attention
Rule Requirement
Criteria
Action1:
actionname = "PowerShell Script Block Logged" AND (SCRIPTEXECUTED contains "Get-ADDBAccount" AND SCRIPTEXECUTED contains "BootKey" AND SCRIPTEXECUTED contains "DatabasePath")
select Action1.HOSTNAME,Action1.MESSAGE,Action1.SCRIPTEXECUTED,Action1.DOMAIN,Action1.PATH,Action1.USERNAME
Detection
Execution Mode
realtime
Log Sources
Windows
Author
@Florian Roth (Nextron Systems)


