T1003.003 NTDS Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let NtdsutilAccess = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "ntdsutil.exe"
| where ProcessCommandLine has_any (
    "ifm", "install from media", "create full",
    "ac i ntds", "activate instance ntds"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
let SecretsDumpNTDS = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("ntds.dit", "secretsdump", "drsuapi", "dcsync")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
let VSSCopyNTDS = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("cmd.exe", "powershell.exe", "vssadmin.exe", "esentutl.exe", "robocopy.exe", "xcopy.exe")
| where ProcessCommandLine has_all ("ntds", "dit") or ProcessCommandLine has_all ("shadow", "ntds")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
let DCSync = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort == 389 or RemotePort == 636 or RemotePort == 3268
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "python.exe", "python3.exe")
| where InitiatingProcessCommandLine has_any ("dcsync", "drsuapi", "secretsdump")
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine;
union NtdsutilAccess, SecretsDumpNTDS, VSSCopyNTDS, DCSync
| sort by Timestamp desc

critical severity high confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection File: File Access Command: Command Execution

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Authorized AD database backups using ntdsutil IFM for RODC provisioning or disaster recovery testing
AD synchronization tools (Azure AD Connect, FIM/MIM) using DRSUAPI for legitimate directory synchronization
Automated DR testing scripts that create NTDS backups per approved runbooks
IT operations using Volume Shadow Copy for routine AD backup (check against authorized backup windows)

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval IsNTDSDump=case(
    match(lower(Image), "ntdsutil\.exe") AND match(lower(CommandLine), "(ifm|install from media|create full|ac i ntds)"), 1,
    match(lower(CommandLine), "ntds\.dit"), 1,
    match(lower(CommandLine), "(secretsdump|drsuapi|dcsync|ninja.?copy)"), 1,
    match(lower(Image), "esentutl\.exe") AND match(lower(CommandLine), "(ntds|shadow)"), 1,
    1==1, 0
  )
| where IsNTDSDump=1
| eval DumpMethod=case(
    match(lower(Image), "ntdsutil"), "NtdsUtil-IFM",
    match(lower(CommandLine), "secretsdump|drsuapi"), "SecretsDump",
    match(lower(CommandLine), "dcsync"), "DCSync",
    match(lower(Image), "esentutl"), "ESENTUtil",
    match(lower(CommandLine), "ntds.dit"), "DirectCopy",
    1==1, "Other"
  )
| table _time, host, Image, CommandLine, User, DumpMethod
| sort - _time

critical severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

ntdsutil IFM used during authorized RODC installation or AD recovery testing
Azure AD Connect DirSync using DRSUAPI for password hash synchronization
Authorized domain controller cloning operations that create NTDS.dit backups
Backup agents with SYSTEM privilege accessing NTDS via VSS

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [process where event.type == "start" and
   (
     (process.name : "ntdsutil.exe" and process.args : ("ifm", "install from media", "create full", "ac i ntds", "activate instance ntds")) or
     (process.name : ("cmd.exe", "powershell.exe", "esentutl.exe", "vssadmin.exe", "robocopy.exe", "xcopy.exe") and
      process.args : ("ntds.dit", "*ntds*") and process.args : ("*shadow*", "*dit*")) or
     (process.args : ("secretsdump", "drsuapi", "dcsync", "NinjaCopy"))
   )
  ]
| where process.pid != 4

critical severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Auditbeat

Required Tables

logs-endpoint.events.process-* winlogbeat-* auditbeat-*

False Positives

Active Directory backup software (e.g., Veeam, Windows Server Backup) using ntdsutil IFM for legitimate SYSVOL/NTDS backups during scheduled maintenance
Domain controller decommission procedures involving authorised ntdsutil operations by sysadmins
Security tools such as BloodHound or PingCastle performing authorised AD enumeration in approved red team exercises

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "Application" AS process_image,
  "Command" AS commandline,
  CASE
    WHEN LOWER("Application") LIKE '%ntdsutil%' AND (LOWER("Command") LIKE '%ifm%' OR LOWER("Command") LIKE '%install from media%' OR LOWER("Command") LIKE '%ac i ntds%') THEN 'NtdsUtil-IFM'
    WHEN LOWER("Command") LIKE '%secretsdump%' OR LOWER("Command") LIKE '%drsuapi%' THEN 'SecretsDump'
    WHEN LOWER("Command") LIKE '%dcsync%' THEN 'DCSync'
    WHEN LOWER("Application") LIKE '%esentutl%' AND LOWER("Command") LIKE '%ntds%' THEN 'ESENTUtil-Copy'
    WHEN LOWER("Command") LIKE '%ntds.dit%' THEN 'DirectNTDSCopy'
    ELSE 'Unknown'
  END AS dump_method
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    (LOWER("Application") LIKE '%ntdsutil.exe%' AND (
      LOWER("Command") LIKE '%ifm%' OR
      LOWER("Command") LIKE '%install from media%' OR
      LOWER("Command") LIKE '%create full%' OR
      LOWER("Command") LIKE '%ac i ntds%'
    )) OR
    LOWER("Command") LIKE '%ntds.dit%' OR
    LOWER("Command") LIKE '%secretsdump%' OR
    LOWER("Command") LIKE '%drsuapi%' OR
    LOWER("Command") LIKE '%dcsync%' OR
    LOWER("Command") LIKE '%ninja%copy%' OR
    (LOWER("Application") LIKE '%esentutl.exe%' AND LOWER("Command") LIKE '%ntds%')
  )
  AND devicetime > NOW() - 1 HOURS
ORDER BY devicetime DESC
LAST 10000

critical severity medium confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM) Sysmon via Windows Event Log DSM Microsoft Active Directory

Required Tables

events

False Positives

Authorised Active Directory backup utilities invoking ntdsutil IFM as part of scheduled backup jobs
Domain controller promotion/demotion procedures that reference NTDS.dit in administrative scripts
IT automation tools (Ansible, SCCM) running AD health checks that inspect NTDS paths

Sumo Logic CSE

sql

_sourceCategory="Windows/EventLogs" OR _sourceCategory="Sysmon"
| where EventID = "1" OR EventID = "4688"
| json field=_raw "EventData.Image" as process_image nodrop
| json field=_raw "EventData.CommandLine" as commandline nodrop
| json field=_raw "EventData.User" as username nodrop
| json field=_raw "EventData.Computer" as hostname nodrop
| where (
    (matches(toLowerCase(process_image), "*ntdsutil.exe*") and (
      matches(toLowerCase(commandline), "*ifm*") or
      matches(toLowerCase(commandline), "*install from media*") or
      matches(toLowerCase(commandline), "*create full*") or
      matches(toLowerCase(commandline), "*ac i ntds*") or
      matches(toLowerCase(commandline), "*activate instance ntds*")
    )) or
    matches(toLowerCase(commandline), "*ntds.dit*") or
    matches(toLowerCase(commandline), "*secretsdump*") or
    matches(toLowerCase(commandline), "*drsuapi*") or
    matches(toLowerCase(commandline), "*dcsync*") or
    matches(toLowerCase(commandline), "*ninja*copy*") or
    (matches(toLowerCase(process_image), "*esentutl.exe*") and (
      matches(toLowerCase(commandline), "*ntds*") or
      matches(toLowerCase(commandline), "*shadow*")
    ))
  )
| eval dump_method = if(matches(toLowerCase(process_image), "*ntdsutil*"), "NtdsUtil-IFM",
    if(matches(toLowerCase(commandline), "*secretsdump*") or matches(toLowerCase(commandline), "*drsuapi*"), "SecretsDump",
    if(matches(toLowerCase(commandline), "*dcsync*"), "DCSync",
    if(matches(toLowerCase(process_image), "*esentutl*"), "ESENTUtil-Copy",
    if(matches(toLowerCase(commandline), "*ntds.dit*"), "DirectCopy", "Other")))))
| fields _messagetime, hostname, username, process_image, commandline, dump_method
| sort by _messagetime desc

critical severity medium confidence

Data Sources

Sumo Logic Windows Event Log Source (Sysmon) Sumo Logic Windows Event Log Source (Security) Sumo Logic Installed Collector on domain controllers

Required Tables

_sourceCategory=Windows/EventLogs _sourceCategory=Sysmon

False Positives

Scheduled backup jobs on domain controllers using ntdsutil IFM for authorised AD backups
Domain controller cloning or virtualisation snapshots referencing NTDS.dit paths
Security health-check scripts referencing NTDS.dit for integrity verification

Google Chronicle / SecOps

yaral

rule ntds_credential_dumping {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects NTDS.dit credential extraction via ntdsutil IFM, VSS copy, esentutl, secretsdump, DCSync, and Invoke-NinjaCopy on domain controllers"
    mitre_attack = "T1003.003"
    severity = "CRITICAL"
    priority = "HIGH"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname

    (
      (
        re.regex($e.target.process.file.full_path, `(?i)ntdsutil\.exe`) and
        (
          re.regex($e.target.process.command_line, `(?i)(ifm|install\s+from\s+media|create\s+full|ac\s+i\s+ntds|activate\s+instance\s+ntds)`) or
          re.regex($e.target.process.command_line, `(?i)ntds\.dit`)
        )
      ) or
      re.regex($e.target.process.command_line, `(?i)(secretsdump|drsuapi|dcsync|ninja.?copy)`) or
      (
        re.regex($e.target.process.file.full_path, `(?i)esentutl\.exe`) and
        re.regex($e.target.process.command_line, `(?i)(ntds|\.dit|shadow)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|vssadmin\.exe|robocopy\.exe|xcopy\.exe)`) and
        re.regex($e.target.process.command_line, `(?i)ntds`) and
        re.regex($e.target.process.command_line, `(?i)(shadow|dit)`)
      )
    )

  condition:
    $e
}

critical severity high confidence

Data Sources

Chronicle UDM (Windows endpoint telemetry via Forwarder) Chronicle Ingestion API (Sysmon / EDR data normalised to UDM) Google Security Operations SIEM

Required Tables

UDM events (PROCESS_LAUNCH type)

False Positives

Authorised ntdsutil IFM operations performed by AD administrators during domain controller backup windows
Security assessment tooling (BloodHound, PingCastle) run during approved penetration testing engagements
Domain migration scripts referencing NTDS.dit paths for legitimate AD restructuring

CrowdStrike LogScale (CQL)

cql

#event_simpleName = ProcessRollup2
| ImageFileName = /(?i)(ntdsutil|secretsdump|esentutl)\.exe$/ OR CommandLine = /(?i)(ntds\.dit|secretsdump|drsuapi|dcsync|ninja.?copy|ifm|install from media|create full|ac i ntds|activate instance ntds)/
| eval DumpMethod = case(
    ImageFileName = /(?i)ntdsutil/ AND CommandLine = /(?i)(ifm|install from media|create full|ac i ntds)/, "NtdsUtil-IFM",
    CommandLine = /(?i)(secretsdump|drsuapi)/, "SecretsDump",
    CommandLine = /(?i)dcsync/, "DCSync",
    ImageFileName = /(?i)esentutl/ AND CommandLine = /(?i)(ntds|shadow)/, "ESENTUtil-Copy",
    CommandLine = /(?i)ninja.?copy/, "NinjaCopy",
    CommandLine = /(?i)ntds\.dit/, "DirectNTDSCopy",
    true(), "Other"
  )
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, DumpMethod], function=[count(as=EventCount), max(ContextTimeStamp, as=LastSeen), min(ContextTimeStamp, as=FirstSeen)])
| sort LastSeen desc
| select ComputerName, UserName, ImageFileName, CommandLine, DumpMethod, EventCount, FirstSeen, LastSeen

critical severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (ProcessRollup2 events) CrowdStrike Falcon LogScale (Humio) data pipeline Falcon Insight XDR telemetry

Required Tables

ProcessRollup2

False Positives

CrowdStrike Falcon sensor itself or Windows Defender performing authorised NTDS health checks
Active Directory backup agents (Veeam, CommVault) invoking ntdsutil for scheduled DC backups
Domain controller promotion workflows executed by authorised AD administrators during change windows

NTDS

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections