From 279a6153363b4ce35f26148f3997927e7ea1ec87 Mon Sep 17 00:00:00 2001
From: Bert-Janp <bertjanpals@gmail.com>
Date: Thu, 21 Mar 2024 19:48:18 +0100
Subject: [PATCH] Update NTDSDitFileModifications

---
 Defender For Endpoint/NTDSDitFileModifications.md | 2 +-
 MITRE ATT&CK/Mapping.md                           | 3 ++-
 README.md                                         | 3 ++-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/Defender For Endpoint/NTDSDitFileModifications.md b/Defender For Endpoint/NTDSDitFileModifications.md
index 6351f62..d5ec353 100644
--- a/Defender For Endpoint/NTDSDitFileModifications.md	
+++ b/Defender For Endpoint/NTDSDitFileModifications.md	
@@ -6,7 +6,7 @@
 
 | Technique ID | Title    | Link    |
 | ---  | --- | --- |
-| T1003 | Credential Access  | [Link](https://attack.mitre.org/techniques/T1003/003/) |
+| T1003 | OS Credential Dumping: NTDS  | [Link](https://attack.mitre.org/techniques/T1003/003/) |
 
 #### Description
 NTDS.DIT stands for New Technology Directory Services Directory Information Tree. It serves as the primary database file within Microsoft’s Active Directory Domain Services (AD DS). Adversaries may attempt to access or modify the Active Directory domain database in order to steal credential information or perform other types of attack. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.
diff --git a/MITRE ATT&CK/Mapping.md b/MITRE ATT&CK/Mapping.md
index a7672a1..612833f 100644
--- a/MITRE ATT&CK/Mapping.md	
+++ b/MITRE ATT&CK/Mapping.md	
@@ -12,7 +12,7 @@ This section only includes references to queries that can be mapped in the MITRE
 | Persistence | 11 |
 | Privilege Escalation | 5 |
 | Defense Evasion | 15 |
-| Credential Access | 6 |
+| Credential Access | 7 |
 | Discovery | 18 |
 | Lateral Movement | 1 |
 | Collection | 1 |
@@ -95,6 +95,7 @@ This section only includes references to queries that can be mapped in the MITRE
 
 | Technique ID | Title    | Query    |
 | ---  | --- | --- |
+| T1003 |OS Credential Dumping: NTDS | [NTDS.DIT File Modifications](./Defender%20For%20Endpoint/NTDSDitFileModifications.md) |
 | T1110 | Brute Force | [Password Change After Succesful Brute Force](../Defender%20For%20Identity/PasswordChangeAfterSuccesfulBruteForce.md) |
 | T1110 | Brute Force | [Multiple Accounts Locked](../Azure%20Active%20Directory/MultipleAccountsLocked.md) |
 | T1552 | Unsecured Credentials | [Commandline with cleartext password](../Defender%20For%20Endpoint/CommandlineWithClearTextPassword.md) |
diff --git a/README.md b/README.md
index 4efb308..7f8185d 100644
--- a/README.md
+++ b/README.md
@@ -80,8 +80,9 @@ Everyone can submit contributions to this repository via a Pull Request. If you
 | | | |  | <ul><li>[Check for Phishing Emails Using IPFS in Phishing Campaigns](./Threat%20Hunting/TI%20Feed%20-%20ipfs_phishing.md)</li>| 
 | | | |  | <ul><li>[Kerberos attacks](./Defender%20For%20Endpoint/nf_ttp_generic_kerberos_attacks.md)</li>|
 | | | |  | <ul><li>[PowerShell Creating LNK Files within a Startup Directory Detection](./Defender%20For%20Endpoint/nf_ttp_t1547-001_yellowcockatoo_powershell_create_link_in_startup)</li>| 
-|  [Alex Teixeira](https://www.linkedin.com/in/inode/)    |    2           |   [@inodee](https://github.com/inodee)     | [@ateixei](https://twitter.com/ateixei)      | <ul><li>[Rare_Outgoing_IPv4_Connections](./Defender%20For%20Endpoint/Rare_Outgoing_IPv4_Connections.md)</li>
+|  [Alex Teixeira](https://www.linkedin.com/in/inode/)    |    3           |   [@inodee](https://github.com/inodee)     | [@ateixei](https://twitter.com/ateixei)      | <ul><li>[Rare_Outgoing_IPv4_Connections](./Defender%20For%20Endpoint/Rare_Outgoing_IPv4_Connections.md)</li>
 | | | |  | <ul><li>[Detect Known RAT RMM Process Patterns](./Defender%20For%20Endpoint/Detect_Known_RAT_RMM_Process_Patterns.md)</li>| 
+| | | |  | <ul><li>[NTDS.DIT File Modifications](./Defender%20For%20Endpoint/NTDSDitFileModifications.md)</li>| 
 |  [Babak Mahmoodizadeh](https://www.linkedin.com/in/babak-mhz/)    |    1           |   [@babakmhz](https://github.com/babakmhz)     | -      | <ul><li>[WebShell Detection](./Defender%20For%20Endpoint/WebshellDetection.md)</li> |
 
 ### Detection Template