T1003.003 Google Chronicle · YARA-L

Detect NTDS in Google Chronicle

Adversaries extract credentials from the Active Directory domain database NTDS.dit, located at %SystemRoot%\NTDS\Ntds.dit on domain controllers. The file contains all domain user password hashes. Methods include: ntdsutil.exe (used by APT28, Sandworm, Volt Typhoon, LAPSUS$, APT41), Volume Shadow Copy plus copy, esentutl.exe, secretsdump.py, and Invoke-NinjaCopy. The SYSTEM registry hive is also required for decryption. Used by virtually every major threat group and all ransomware operators. Highest-impact credential theft technique — compromises the entire domain at once.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1003 OS Credential Dumping
Sub-technique
T1003.003 NTDS
Canonical reference
https://attack.mitre.org/techniques/T1003/003/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule ntds_credential_dumping {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects NTDS.dit credential extraction via ntdsutil IFM, VSS copy, esentutl, secretsdump, DCSync, and Invoke-NinjaCopy on domain controllers"
    mitre_attack = "T1003.003"
    severity = "CRITICAL"
    priority = "HIGH"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname

    (
      (
        re.regex($e.target.process.file.full_path, `(?i)ntdsutil\.exe`) and
        (
          re.regex($e.target.process.command_line, `(?i)(ifm|install\s+from\s+media|create\s+full|ac\s+i\s+ntds|activate\s+instance\s+ntds)`) or
          re.regex($e.target.process.command_line, `(?i)ntds\.dit`)
        )
      ) or
      re.regex($e.target.process.command_line, `(?i)(secretsdump|drsuapi|dcsync|ninja.?copy)`) or
      (
        re.regex($e.target.process.file.full_path, `(?i)esentutl\.exe`) and
        re.regex($e.target.process.command_line, `(?i)(ntds|\.dit|shadow)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|vssadmin\.exe|robocopy\.exe|xcopy\.exe)`) and
        re.regex($e.target.process.command_line, `(?i)ntds`) and
        re.regex($e.target.process.command_line, `(?i)(shadow|dit)`)
      )
    )

  condition:
    $e
}
critical severity high confidence

Google Chronicle YARA-L 2.0 rule detecting NTDS.dit credential dumping across all known extraction methods. Uses UDM process launch events to identify ntdsutil IFM operations, VSS-assisted copies, esentutl extraction, secretsdump, DCSync, and Invoke-NinjaCopy by matching process image paths and command line arguments.

Data Sources

Chronicle UDM (Windows endpoint telemetry via Forwarder)Chronicle Ingestion API (Sysmon / EDR data normalised to UDM)Google Security Operations SIEM

Required Tables

UDM events (PROCESS_LAUNCH type)

False Positives & Tuning

  • Authorised ntdsutil IFM operations performed by AD administrators during domain controller backup windows
  • Security assessment tooling (BloodHound, PingCastle) run during approved penetration testing engagements
  • Domain migration scripts referencing NTDS.dit paths for legitimate AD restructuring
Download portable Sigma rule (.yml)

Other platforms for T1003.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create NTDS IFM Backup via ntdsutil

    Expected signal: Sysmon Event ID 1: Process Create for ntdsutil.exe with CommandLine containing 'ac i ntds' and 'create full'. Sysmon Event ID 11: FileCreate for ntds.dit and other database files in C:\AtomicTest_NTDS. Security Event ID 4688 for ntdsutil.exe.

  2. Test 2Copy NTDS.dit via Volume Shadow Copy

    Expected signal: Sysmon Event ID 1: vssadmin.exe with 'create shadow'. Sysmon Event ID 11: FileCreate for atomic_ntds.dit. Sysmon Event ID 1: copy/xcopy/robocopy commands accessing ntds.dit path. System Event Log: VSS service events (8193/8194).

  3. Test 3DCSync via Mimikatz lsadump::dcsync

    Expected signal: Sysmon Event ID 1: Process Create for mimikatz.exe with 'lsadump::dcsync' in CommandLine. Security Event ID 4662 on the DC: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All access rights for the mimikatz-running account. Network Event ID 3 for LDAP connections to DC.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1003.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1003OS Credential Dumping

Related Sub-techniques

T1003.001LSASS MemoryT1003.002Security Account ManagerT1003.004LSA SecretsT1003.005Cached Domain CredentialsT1003.006DCSyncT1003.007Proc FilesystemT1003.008/etc/passwd and /etc/shadow

Related Techniques

T1003OS Credential DumpingT1003.001LSASS MemoryT1003.002Security Account ManagerT1550.003Pass the TicketT1007System Service DiscoveryT1490Inhibit System Recovery

Same Tactic: Credential Access

Popular Detections