Forum Discussion

Daugirdas_Sinkevicius's avatar
Daugirdas_Sinkevicius
Copper Contributor
Sep 21, 2020

Azure ATP posibilities to detect NTDS.dit dump

Hello,

 

Does Azure ATP detect activities related with getting a copy of the file NTDS.dit?

For example when dumping the file with native built in tools when Administrator is logged on to DC:

  • Leverage the NTDSUtil diagnostic tool available as part of Active Directory
  • VSSAdmin - Use Volume Shadow Copies via the VSSAdmin command

Thanks

 

3 Replies

    • Daugirdas_Sinkevicius's avatar
      Daugirdas_Sinkevicius
      Copper Contributor
      Sep 29, 2020

      David Caddick, just want to clarify...have you ever tested this?

      I've deployed fresh new AATP 2 month ago, and once we dumped NTDS.dit on DC, ATP did not show any alert 😞 

      Double checked - ATP sensors were working fine on all DCs during the test.

       

       

      • David Caddick's avatar
        David Caddick
        Iron Contributor
        Sep 29, 2020

        Daugirdas_Sinkevicius specifically this is what we saw:
        https://docs.microsoft.com/en-us/azure-advanced-threat-protection/exfiltration-alerts#data-exfiltration-over-smb-external-id-2030
        Might check using SMB maybe?