besimorhino

## include_ntdsutil.xml
<Sysmon schemaversion="4.30">
  <EventFiltering>
    <RuleGroup name="" groupRelation="or">
      <ProcessCreate onmatch="include">
        <OriginalFileName name="technique_id=T1003.003,technique_name=OS Credential Dumping: NTDS" condition="is">ntdsutil.exe</OriginalFileName>
      </ProcessCreate>
    </RuleGroup>
  </EventFiltering>
</Sysmon>
	<Sysmon schemaversion="4.30">
	<EventFiltering>
	<RuleGroup name="" groupRelation="or">
	<ProcessCreate onmatch="include">
	<OriginalFileName name="technique_id=T1003.003,technique_name=OS Credential Dumping: NTDS" condition="is">ntdsutil.exe</OriginalFileName>
	</ProcessCreate>
	</RuleGroup>
	</EventFiltering>
	</Sysmon>