Update NTDSDitFileModifications

marcoheijkoop · Mar 21, 2024 · 279a615 · 279a615
1 parent b74015d
commit 279a615
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 3 deletions.
diff --git a/Defender For Endpoint/NTDSDitFileModifications.md b/Defender For Endpoint/NTDSDitFileModifications.md
@@ -6,7 +6,7 @@
 
 | Technique ID | Title    | Link    |
 | ---  | --- | --- |
-| T1003 | Credential Access  | [Link](https://attack.mitre.org/techniques/T1003/003/) |
+| T1003 | OS Credential Dumping: NTDS  | [Link](https://attack.mitre.org/techniques/T1003/003/) |
 
 #### Description
 NTDS.DIT stands for New Technology Directory Services Directory Information Tree. It serves as the primary database file within Microsoft’s Active Directory Domain Services (AD DS). Adversaries may attempt to access or modify the Active Directory domain database in order to steal credential information or perform other types of attack. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.

diff --git a/MITRE ATT&CK/Mapping.md b/MITRE ATT&CK/Mapping.md
@@ -12,7 +12,7 @@ This section only includes references to queries that can be mapped in the MITRE
 | Persistence | 11 |
 | Privilege Escalation | 5 |
 | Defense Evasion | 15 |
-| Credential Access | 6 |
+| Credential Access | 7 |
 | Discovery | 18 |
 | Lateral Movement | 1 |
 | Collection | 1 |
@@ -95,6 +95,7 @@ This section only includes references to queries that can be mapped in the MITRE
 
 | Technique ID | Title    | Query    |
 | ---  | --- | --- |
+| T1003 |OS Credential Dumping: NTDS | [NTDS.DIT File Modifications](./Defender%20For%20Endpoint/NTDSDitFileModifications.md) |
 | T1110 | Brute Force | [Password Change After Succesful Brute Force](../Defender%20For%20Identity/PasswordChangeAfterSuccesfulBruteForce.md) |
 | T1110 | Brute Force | [Multiple Accounts Locked](../Azure%20Active%20Directory/MultipleAccountsLocked.md) |
 | T1552 | Unsecured Credentials | [Commandline with cleartext password](../Defender%20For%20Endpoint/CommandlineWithClearTextPassword.md) |

diff --git a/README.md b/README.md
@@ -80,8 +80,9 @@ Everyone can submit contributions to this repository via a Pull Request. If you
 | | | |  | <ul><li>[Check for Phishing Emails Using IPFS in Phishing Campaigns](./Threat%20Hunting/TI%20Feed%20-%20ipfs_phishing.md)</li>| 
 | | | |  | <ul><li>[Kerberos attacks](./Defender%20For%20Endpoint/nf_ttp_generic_kerberos_attacks.md)</li>|
 | | | |  | <ul><li>[PowerShell Creating LNK Files within a Startup Directory Detection](./Defender%20For%20Endpoint/nf_ttp_t1547-001_yellowcockatoo_powershell_create_link_in_startup)</li>| 
-|  [Alex Teixeira](https://www.linkedin.com/in/inode/)    |    2           |   [@inodee](https://github.com/inodee)     | [@ateixei](https://twitter.com/ateixei)      | <ul><li>[Rare_Outgoing_IPv4_Connections](./Defender%20For%20Endpoint/Rare_Outgoing_IPv4_Connections.md)</li>
+|  [Alex Teixeira](https://www.linkedin.com/in/inode/)    |    3           |   [@inodee](https://github.com/inodee)     | [@ateixei](https://twitter.com/ateixei)      | <ul><li>[Rare_Outgoing_IPv4_Connections](./Defender%20For%20Endpoint/Rare_Outgoing_IPv4_Connections.md)</li>
 | | | |  | <ul><li>[Detect Known RAT RMM Process Patterns](./Defender%20For%20Endpoint/Detect_Known_RAT_RMM_Process_Patterns.md)</li>| 
+| | | |  | <ul><li>[NTDS.DIT File Modifications](./Defender%20For%20Endpoint/NTDSDitFileModifications.md)</li>| 
 |  [Babak Mahmoodizadeh](https://www.linkedin.com/in/babak-mhz/)    |    1           |   [@babakmhz](https://github.com/babakmhz)     | -      | <ul><li>[WebShell Detection](./Defender%20For%20Endpoint/WebshellDetection.md)</li> |
 
 ### Detection Template