OS Credential Dumping: NTDS, Sub-technique T1003.003 - Enterprise | MITRE ATT&CK®

OS Credential Dumping: NTDS, Sub-technique T1003.003 - Enterprise | MITRE ATT&CK®
Currently viewing
ATT&CK v17.1
which was live between April 22, 2025 and October 27, 2025.
Learn more about the versioning system
or
see the live site
Techniques
Enterprise
OS Credential Dumping
NTDS
OS Credential Dumping:
NTDS
Other sub-techniques of OS Credential Dumping (8)
ID
Name
T1003.001
LSASS Memory
T1003.002
Security Account Manager
T1003.003
NTDS
T1003.004
LSA Secrets
T1003.005
Cached Domain Credentials
T1003.006
DCSync
T1003.007
Proc Filesystem
T1003.008
/etc/passwd and /etc/shadow
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in
%SystemRoot%\NTDS\Ntds.dit
of a domain controller.
[1]
In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.
[2]
The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
Volume Shadow Copy
secretsdump.py
Using the in-built Windows tool, ntdsutil.exe
Invoke-NinjaCopy
ID:
T1003.003
Sub-technique of:
T1003
Tactic:
Credential Access
Platforms:
Windows
Contributors:
Ed Williams, Trustwave, SpiderLabs
Version:
1.3
Created:
11 February 2020
Last Modified:
15 April 2025
Version Permalink
Live Version
Procedure Examples
ID
Name
Description
G0007
APT28
APT28
has used the ntdsutil.exe utility to export the Active Directory database for credential access.
[3]
C0051
APT28 Nearest Neighbor Campaign
During
APT28 Nearest Neighbor Campaign
APT28
dumped NTDS.dit through creating volume shadow copies via
vssadmin
[4]
G0096
APT41
APT41
used ntdsutil to obtain a copy of the victim environment
ntds.dit
file.
[5]
G0114
Chimera
Chimera
has gathered the SYSTEM registry and ntds.dit files from target systems.
[6]
Chimera
specifically has used the NtdsAudit tool to dump the password hashes of domain users via
msadcs.exe "NTDS.dit" -s "SYSTEM" -p RecordedTV_pdmp.txt --users-csv RecordedTV_users.csv
and used ntdsutil to copy the Active Directory database.
[7]
S0488
CrackMapExec
CrackMapExec
can dump hashed passwords associated with Active Directory using Windows' Directory Replication Services API (DRSUAPI), or Volume Shadow Copy.
[8]
C0029
Cutting Edge
During
Cutting Edge
, threat actors accessed and mounted virtual hard disk backups to extract ntds.dit.
[9]
G0035
Dragonfly
Dragonfly
has dropped and executed SecretsDump to dump password hashes. They also obtained ntds.dit from domain controllers.
[10]
[11]
S0404
esentutl
esentutl
can copy
ntds.dit
using the Volume Shadow Copy service.
[12]
[13]
G1016
FIN13
FIN13
has harvested the NTDS.DIT file and leveraged the
Impacket
tool on the compromised domain controller to locally decrypt it.
[14]
G0037
FIN6
FIN6
has used Metasploit’s
PsExec
NTDSGRAB module to obtain a copy of the victim's Active Directory database.
[15]
[16]
G0117
Fox Kitten
Fox Kitten
has used Volume Shadow Copy to access credential information from NTDS.
[17]
G0125
HAFNIUM
HAFNIUM
has stolen copies of the Active Directory database (NTDS.DIT).
[18]
[19]
S0357
Impacket
SecretsDump and
Mimikatz
modules within
Impacket
can perform credential dumping to obtain account and password information from NTDS.dit.
[20]
G0004
Ke3chang
Ke3chang
has used NTDSDump and other password dumping tools to gather credentials.
[21]
S0250
Koadic
Koadic
can gather hashed passwords by gathering domain controller hashes from NTDS.
[22]
G1004
LAPSUS$
LAPSUS$
has used Windows built-in tool
ntdsutil
to extract the Active Directory (AD) database.
[23]
G0045
menuPass
menuPass
has used Ntdsutil to dump credentials.
[24]
G0129
Mustang Panda
Mustang Panda
has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file.
Mustang Panda
has also used
reg save
on the SYSTEM file Registry location to help extract the NTDS.dit file.
[25]
C0048
Operation MidnightEclipse
During
Operation MidnightEclipse
, threat actors obtained active directory credentials via the NTDS.DIT file.
[26]
G0034
Sandworm Team
Sandworm Team
has used
ntdsutil.exe
to back up the Active Directory database, likely for credential access.
[27]
G1015
Scattered Spider
Scattered Spider
has extracted the
NTDS.dit
file by creating volume shadow copies of virtual domain controller disks.
[28]
G1017
Volt Typhoon
Volt Typhoon
has used ntds.util to create domain controller installation media containing usernames and password hashes.
[29]
[30]
[31]
[32]
G0102
Wizard Spider
Wizard Spider
has gained access to credentials via exported copies of the ntds.dit Active Directory database.
Wizard Spider
has also created a volume shadow copy and used a batch script file to collect NTDS.dit with the use of the Windows utility, ntdsutil.
[33]
[34]
Mitigations
ID
Mitigation
Description
M1041
Encrypt Sensitive Information
Ensure Domain Controller backups are properly secured.
[2]
M1027
Password Policies
Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
M1026
Privileged Account Management
Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.
M1017
User Training
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.
Detection
ID
Data Source
Data Component
Detects
DS0017
Command
Command Execution
Monitor executed commands and arguments that may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. Look for command-lines that invoke attempts to access or copy the NTDS.dit.
Note: Events 4688 (Microsoft Windows Security Auditing) and 1 (Microsoft Windows Sysmon) provide context of commands and parameters being executed via creation of a new process. Event 800 (PowerShell) provides context of commands and parameters being executed via PowerShell. This detection is based on known Windows utilities commands and parameters that can be used to copy the ntds.dit file. It is recommended to keep the list of commands and parameters up to date.
Analytic 1 - Command line attempt to access or create a copy of ntds.dit file
((sourcetype="WinEventLog:Microsoft-Windows-Powershell/Operational" EventCode="800") AND((CommandLine LIKE "%ntds%" AND CommandLine LIKE "%ntdsutil%" AND CommandLine LIKE "%create%") OR (CommandLine LIKE "%vssadmin%" AND CommandLine LIKE "%create%" AND CommandLine LIKE "%shadow%") OR (CommandLine LIKE "%copy%" AND CommandLine LIKE "%ntds.dit%")))
DS0022
File
File Access
Monitor for access or copy of the NTDS.dit.
Note: Events 4656 and 4663 (Microsoft Windows Security Auditing) provide context of processes and users requesting access or accessing file objects (ObjectType = File) such as C:\Windows\NTDS\ntds.dit. It is important to note that, in order to generate these events, a System Access Control List (SACL) must be defined for the ntds.dit file. Access rights that allow read operations on file objects and its attributes are %%4416 Read file data, %%4419 Read extended file attributes, %%4423 Read file attributes. If you search for just the name of the file and not the entire directory, you may get access events related to the ntds.dit file within a snapshot or volume shadow copy.
Events 4656 and 4663 (Microsoft Windows Security Auditing) provide context of processes and users creating or copying file objects (ObjectType = File) such as C:\Windows\NTDS\ntds.dit. It is important to note that, in order to generate these events, a System Access Control List (SACL) must be defined for the ntds.dit file. In order to filter file creation events, filter access rigths %%4417 Write data to the file and %%4424 Write file attributes.
Event 11 (Microsoft Windows Sysmon) provide context of processes and users creating or copying files. Unfortunately, this event provides context of the file being created or copied, but not the file being copied. A good starting point would be to look for new files created or copied with extension .dit.
Analytic 1 - Active Directory Dumping via NTDSUtil
(sourcetype=WinEventLog:Security EventCode IN (4656, 4663)) OR (sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode="11") ANDObjectType="File" AND TargetFilename="*ntds.dit" AND (AccessList="%%4416" OR AccessList="%%4419" OR AccessList="%%4417" OR AccessList="%%4424")
References
Wikipedia. (2018, March 10). Active Directory. Retrieved April 11, 2018.
Metcalf, S. (2015, January 19). Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest. Retrieved February 3, 2015.
NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.
Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024.
Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020..
Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
Core Security. (n.d.). Impacket. Retrieved November 2, 2017.
LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.
Cary, M. (2018, December 6). Locked File Access Using ESENTUTL.exe. Retrieved September 5, 2019.
Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved November 17, 2024.
McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
Microsoft Threat Intelligence . (2025, March 5). Silk Typhoon targeting IT supply chain. Retrieved March 20, 2025.
SecureAuth. (n.d.). Retrieved January 15, 2019.
MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024.
MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved November 20, 2024.
MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.
Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.
NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.