Skip to content

T1003.003 NTDS

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.1

In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.2

The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.

  • Volume Shadow Copy
  • secretsdump.py
  • Using the in-built Windows tool, ntdsutil.exe
  • Invoke-NinjaCopy
Item Value
ID T1003.003
Sub-techniques T1003.001, T1003.002, T1003.003, T1003.004, T1003.005, T1003.006, T1003.007, T1003.008
Tactics TA0006
Platforms Windows
Permissions required Administrator
Version 1.1
Created 11 February 2020
Last Modified 08 March 2022

Procedure Examples

ID Name Description
G0007 APT28 APT28 has used the ntdsutil.exe utility to export the Active Directory database for credential access.22
G0114 Chimera Chimera has gathered the SYSTEM registry and ntds.dit files from target systems.8 Chimera specifically has used the NtdsAudit tool to dump the password hashes of domain users via msadcs.exe “NTDS.dit” -s “SYSTEM” -p RecordedTV_pdmp.txt –users-csv RecordedTV_users.csv and used ntdsutil to copy the Active Directory database.9
S0488 CrackMapExec CrackMapExec can dump hashed passwords associated with Active Directory using Windows’ Directory Replication Services API (DRSUAPI), or Volume Shadow Copy.5
G0035 Dragonfly Dragonfly has dropped and executed SecretsDump to dump password hashes. They also obtained ntds.dit from domain controllers.1716
S0404 esentutl esentutl can use Volume Shadow Copy to copy locked files such as ntds.dit.67
G0037 FIN6 FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim’s Active Directory database.2021
G0117 Fox Kitten Fox Kitten has used Volume Shadow Copy to access credential information from NTDS.12
G0125 HAFNIUM HAFNIUM has stolen copies of the Active Directory database (NTDS.DIT).13
S0357 Impacket SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information from NTDS.dit.3
G0004 Ke3chang Ke3chang has used NTDSDump and other password dumping tools to gather credentials.19
S0250 Koadic Koadic can gather hashed passwords by gathering domain controller hashes from NTDS.4
G1004 LAPSUS$ LAPSUS$ has used Windows built-in tool ntdsutil to extract the Active Directory (AD) database.14
G0045 menuPass menuPass has used Ntdsutil to dump credentials.11
G0129 Mustang Panda Mustang Panda has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file. Mustang Panda has also used reg save on the SYSTEM file Registry location to help extract the NTDS.dit file.15
G0034 Sandworm Team Sandworm Team has used ntdsutil.exe to back up the Active Directory database, likely for credential access.10
G0102 Wizard Spider Wizard Spider has gained access to credentials via exported copies of the ntds.dit Active Directory database.18

Mitigations

ID Mitigation Description
M1041 Encrypt Sensitive Information Ensure Domain Controller backups are properly secured.2
M1027 Password Policies Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
M1026 Privileged Account Management Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.
M1017 User Training Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access

References

  1. Wikipedia. (2018, March 10). Active Directory. Retrieved April 11, 2018. 

  2. Metcalf, S. (2015, January 19). Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest. Retrieved February 3, 2015. 

  3. SecureAuth. (n.d.). Retrieved January 15, 2019. 

  4. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018. 

  5. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020. 

  6. LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019. 

  7. Cary, M. (2018, December 6). Locked File Access Using ESENTUTL.exe. Retrieved September 5, 2019. 

  8. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020. 

  9. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. 

  10. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023. 

  11. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020. 

  12. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. 

  13. Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021. 

  14. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022. 

  15. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. 

  16. Core Security. (n.d.). Impacket. Retrieved November 2, 2017. 

  17. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. 

  18. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. 

  19. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. 

  20. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016. 

  21. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. 

  22. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.