EXPLORE
Sign In
← Back to Explore
T1003.003

NTDS

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller.(Citation: Wikipedia Active Directory) In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that conta...

Windows
34
Detections
3
Sources
17
Threat Actors

BY SOURCE

22sigma6elastic6splunk_escu

PROCEDURES (21)

Dump4 detections

Auto-extracted: 4 detections for dump

Dump3 detections

Auto-extracted: 3 detections for dump

Shadow Cop3 detections

Auto-extracted: 3 detections for shadow cop

Ntds3 detections

Auto-extracted: 3 detections for ntds

Credential2 detections

Auto-extracted: 2 detections for credential

Wmi2 detections

Auto-extracted: 2 detections for wmi

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Ntds1 detections

Auto-extracted: 1 detections for ntds

Privilege1 detections

Auto-extracted: 1 detections for privilege

Powershell1 detections

Auto-extracted: 1 detections for powershell

Lateral1 detections

Auto-extracted: 1 detections for lateral

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Credential1 detections

Auto-extracted: 1 detections for credential

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Dump1 detections

Auto-extracted: 1 detections for dump

Lateral1 detections

Auto-extracted: 1 detections for lateral

Privilege1 detections

Auto-extracted: 1 detections for privilege

Credential1 detections

Auto-extracted: 1 detections for credential

Credential1 detections

Auto-extracted: 1 detections for credential

THREAT ACTORS (17)

APT28APT41ChimeraDragonflyFIN13FIN6Fox KittenHAFNIUMKe3changLAPSUS$Medusa GroupmenuPassMustang PandaSandworm TeamScattered SpiderVolt TyphoonWizard Spider

DETECTIONS (34)

Copying Sensitive Files with Credential Data
sigmahigh
Create Volume Shadow Copy with Powershell
sigmahigh
Creation of Shadow Copy
splunk_escu
Creation of Shadow Copy with wmic and powershell
splunk_escu
Creation or Modification of Domain Backup DPAPI private key
elastichigh
Cred Dump Tools Dropped Files
sigmahigh
Credential Dumping via Copy Command from Shadow Copy
splunk_escu
Credential Dumping via Symlink to Shadow Copy
splunk_escu
Esentutl Gather Credentials
sigmamedium
Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
sigmamedium
NTDS Dump via Wbadmin
elasticmedium
NTDS Exfiltration Filename Patterns
sigmahigh
NTDS or SAM Database File Copied
elastichigh
NTDS.DIT Created
sigmalow
NTDS.DIT Creation By Uncommon Parent Process
sigmahigh
NTDS.DIT Creation By Uncommon Process
sigmahigh
Ntdsutil Abuse
sigmamedium
Ntdsutil Export NTDS
splunk_escu
Possible Impacket SecretDump Remote Activity
sigmahigh
Possible Impacket SecretDump Remote Activity - Zeek
sigmahigh
Potential Credential Access via Windows Utilities
elastichigh
PowerShell Invoke-NinjaCopy script
elastichigh
PUA - DIT Snapshot Viewer
sigmahigh
SecretDumps Offline NTDS Dumping Tool
splunk_escu
Sensitive File Dump Via Wbadmin.EXE
sigmahigh
Sensitive File Recovery From Backup Via Wbadmin.EXE
sigmahigh
Shadow Copies Creation Using Operating Systems Utilities
sigmamedium
Suspicious Get-ADDBAccount Usage
sigmahigh
Suspicious Process Patterns NTDS.DIT Exfil
sigmahigh
Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
sigmamedium
Symbolic Link to Shadow Copy Created
elasticmedium
Transferring Files with Credential Data via Network Shares
sigmamedium
Transferring Files with Credential Data via Network Shares - Zeek
sigmamedium
VolumeShadowCopy Symlink Creation Via Mklink
sigmahigh