DET0586 Detection of NTDS.dit Credential Dumping from Domain Controllers

Item	Value
ID	DET0586
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1003.003 (NTDS)

Analytics

Windows

AN1611

Detects credential dumping attempts targeting the NTDS.dit database by monitoring shadow copy creation, suspicious file access to %SystemRoot%\NTDS\ntds.dit, and the use of tooling like ntdsutil.exe or volume management APIs.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Security	EventCode=4688
File Modification (DC0061)	WinEventLog:Sysmon	EventCode=2
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11
Volume Creation (DC0097)	WinEventLog:Microsoft-Windows-VSS	Volume Shadow Copy Creation

Mutable Elements

Field	Description
TargetFilePath	Tunable for NTDS file location or backup paths if organization uses custom domain controller storage structure.
ParentProcessName	Can suppress backup-related parent processes to reduce false positives.
TimeWindow	Temporal correlation between shadow copy creation and NTDS file access (e.g., 5 min window).
UserContext	Tune based on expected privileged user/service account behavior.