Suspicious Get-ADDBAccount Usage (b140afd9-474b-4072-958e-2ebb435abd68)

Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Suspicious Get-ADDBAccount Usage (b140afd9-474b-4072-958e-2ebb435abd68)	Sigma-Rules	NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	1
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	2