NTDS.DIT Creation By Uncommon Process (11b1ed55-154d-4e82-8ad7-83739298f720)

Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	NTDS.DIT Creation By Uncommon Process (11b1ed55-154d-4e82-8ad7-83739298f720)	Sigma-Rules	1
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	NTDS.DIT Creation By Uncommon Process (11b1ed55-154d-4e82-8ad7-83739298f720)	Sigma-Rules	1
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	2
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	2