Attacker Technique - NTDS File Access


I got this alert from Rapid 7 and I contacted the Infra team, they confirmed me that they installed rapid 7 agent on that particular asset. how will I know that it is not attacker.

1 Like

I would be very surprised if an attacker was installing R7 in your environment. They usually go to great efforts to disable and avoid such tools.

You can check that the key used to install the agent belongs to your Rapid7 instance (either in the local log files or in the command line log on the platform) which will confirm the asset is bound to your own account.


I agree with jsalsbury. I would be suspicious of receiving this alert and the infrastructure team saying nothing was performed on their end. However, since they confirmed they deployed the agent you can cross-reference the alert with the agent deployment time if you prefer.

Usually, they will deploy the velociraptor agent on an ad-hoc basis as opposed to the InsightIDR agent, but your case may be unique.

Also, if you ever want to view more information on a specific UBA alert check this page out (ctrl+f for “NTDS File Access”: Windows Suspicious Process | InsightIDR Documentation