Description
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.(Citation: Wikipedia Active Directory)
In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)
The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
Volume Shadow Copy secretsdump.py Using the in-built Windows tool, ntdsutil.exe Invoke-NinjaCopy
Mimikatz Tutorial
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (4)
Password PoliciesM1027
Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
Privileged Account ManagementM1026
Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.
User TrainingM1017
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.
Encrypt Sensitive InformationM1041
Ensure Domain Controller backups are properly secured.(Citation: Metcalf 2015)
Threat Groups (18)
| ID | Group | Context |
|---|---|---|
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used the ntdsutil.exe utility to export the Active Directory database for credential access.(Citati... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has extracted the `NTDS.dit` file by creating volume shadow copies of virtual domain control... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has used `ntdsutil.exe` to back up the Active Directory database, likely for credential access.... |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has harvested the NTDS.DIT file and leveraged the [Impacket](https://attack.mitre.org/software/S0357) t... |
| G0037 | FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has used Metasploit’s [PsExec](https://attack.mitre.org/software/S0029) NTDSGRAB module to obtain a copy... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has used ntds.util to create domain controller installation media containing usernames and passw... |
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used Ntdsutil to dump credentials.(Citation: Symantec Cicada November 2020) |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has gathered the SYSTEM registry and ntds.dit files from target systems.(Citation: Cycraft Chimera Ap... |
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has used Volume Shadow Copy to access credential information from NTDS.(Citation: CISA AA20-259A I... |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has accessed the ntds.dit file to engage in credential dumping.(Citation: Broadcom Medusa Ransom... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has gained access to credentials via exported copies of the ntds.dit Active Directory database.... |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has dropped and executed SecretsDump to dump password hashes. They also obtained ntds.dit from doma... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) used ntdsutil to obtain a copy of the victim environment <code>ntds.dit</code> file.(Citation: Rostovce... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file. [Mustang Panda... |
| G0004 | Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has used NTDSDump and other password dumping tools to gather credentials.(Citation: Microsoft NICKEL... |
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has stolen copies of the Active Directory database (NTDS.DIT).(Citation: Volexity Exchange Marauder M... |
| G1004 | LAPSUS$ | [LAPSUS$](https://attack.mitre.org/groups/G1004) has used Windows built-in tool `ntdsutil` to extract the Active Directory (AD) database.(Citation: MS... |
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) has dumped NTDS.dit through volume shadow copies.(Citation: Trend Micro Earth Kasha NOV 2024)(Cita... |
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S0488 | CrackMapExec | Tool | [CrackMapExec](https://attack.mitre.org/software/S0488) can dump hashed passwords associated with Active Directory using Windows' Directory Replicatio... |
| S0404 | esentutl | Tool | [esentutl](https://attack.mitre.org/software/S0404) can copy `ntds.dit` using the Volume Shadow Copy service.(Citation: LOLBAS Esentutl)(Citation: Car... |
| S0357 | Impacket | Tool | SecretsDump and [Mimikatz](https://attack.mitre.org/software/S0002) modules within [Impacket](https://attack.mitre.org/software/S0357) can perform cre... |
| S0250 | Koadic | Tool | [Koadic](https://attack.mitre.org/software/S0250) can gather hashed passwords by gathering domain controller hashes from NTDS.(Citation: Github Koadic... |
Related CWE Weaknesses
References
- Metcalf, S. (2015, January 19). Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest. Retrieved February 3, 2015.
- Wikipedia. (2018, March 10). Active Directory. Retrieved April 11, 2018.
Frequently Asked Questions
What is T1003.003 (NTDS)?
T1003.003 is a MITRE ATT&CK technique named 'NTDS'. It belongs to the Credential Access tactic(s). Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as de...
How can T1003.003 be detected?
Detection of T1003.003 (NTDS) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1003.003?
There are 4 documented mitigations for T1003.003. Key mitigations include: Password Policies, Privileged Account Management, User Training, Encrypt Sensitive Information.
Which threat groups use T1003.003?
Known threat groups using T1003.003 include: APT28, Scattered Spider, Sandworm Team, FIN13, FIN6, Volt Typhoon, menuPass, Chimera.