sysmon xml filter to monitor use of ntdsutil.exe

include_ntdsutil.xml

<Sysmon schemaversion="4.30">
  <EventFiltering>
    <RuleGroup name="" groupRelation="or">
      <ProcessCreate onmatch="include">
        <OriginalFileName name="technique_id=T1003.003,technique_name=OS Credential Dumping: NTDS" condition="is">ntdsutil.exe</OriginalFileName>
      </ProcessCreate>
    </RuleGroup>
  </EventFiltering>
</Sysmon>