T1003.003: NTDS
| View on MITRE ATT&CK | T1003.003 |
|---|---|
| Tactic(s) | Credential Access |
Data from MITRE ATT&CK®:
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.(Citation: Wikipedia Active Directory)
In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)
The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
- Volume Shadow Copy
- secretsdump.py
- Using the in-built Windows tool, ntdsutil.exe
- Invoke-NinjaCopy
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection
This advisory from the US National Security Agency, CISA and various other agencies outlines tactics, techniques and procedures used by Volt ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
Following an initial advisory issued in May 2023, this advisory from CISA, NSA and partners outlines information on the broader campaign of cyber ...
StopRansomware: Rhysida Ransomware
This is a joint Cybersecurity Advisory by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and ...
Mitigations for this technique
MITRE ATT&CK Mitigations
User Training
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.Encrypt Sensitive Information
Protect sensitive information with strong encryption.Password Policies
Set and enforce secure password policies for accounts.Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.How to detect this technique
MITRE ATT&CK Data Components
Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )File Access (File)
Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Create Symlink to Volume Shadow Copy
Create Volume Shadow Copy with Powershell
Create Volume Shadow Copy with vssadmin
Create Volume Shadow Copy remotely (WMI) with esentutl
Create Volume Shadow Copy remotely with WMI
Create Volume Shadow Copy with WMI
Dump Active Directory Database with NTDSUtil
Copy NTDS.dit from Volume Shadow Copy
Create Volume Shadow Copy with diskshadow
Sigma Detections for this Technique
Possible Impacket SecretDump Remote Activity
NTDS.DIT Creation By Uncommon Process
Cred Dump Tools Dropped Files
Create Volume Shadow Copy with Powershell
Transferring Files with Credential Data via Network Shares
NTDS Exfiltration Filename Patterns
Suspicious Get-ADDBAccount Usage
Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
Suspicious Active Directory Database Snapshot Via ADExplorer
Suspicious Process Patterns NTDS.DIT Exfil
NTDS.DIT Creation By Uncommon Parent Process
Possible Impacket SecretDump Remote Activity - Zeek
Shadow Copies Creation Using Operating Systems Utilities
PUA - DIT Snapshot Viewer
Copying Sensitive Files with Credential Data
VolumeShadowCopy Symlink Creation Via Mklink
Esentutl Gather Credentials
Active Directory Database Snapshot Via ADExplorer
Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
Transferring Files with Credential Data via Network Shares - Zeek
NTDS.DIT Created
Ntdsutil Abuse
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.