Detect NTDS in Elastic Security
Adversaries extract credentials from the Active Directory domain database NTDS.dit, located at %SystemRoot%\NTDS\Ntds.dit on domain controllers. The file contains all domain user password hashes. Methods include: ntdsutil.exe (used by APT28, Sandworm, Volt Typhoon, LAPSUS$, APT41), Volume Shadow Copy plus copy, esentutl.exe, secretsdump.py, and Invoke-NinjaCopy. The SYSTEM registry hive is also required for decryption. Used by virtually every major threat group and all ransomware operators. Highest-impact credential theft technique — compromises the entire domain at once.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1003 OS Credential Dumping
- Sub-technique
- T1003.003 NTDS
- Canonical reference
- https://attack.mitre.org/techniques/T1003/003/
Elastic Detection Query
sequence by host.id with maxspan=5m
[process where event.type == "start" and
(
(process.name : "ntdsutil.exe" and process.args : ("ifm", "install from media", "create full", "ac i ntds", "activate instance ntds")) or
(process.name : ("cmd.exe", "powershell.exe", "esentutl.exe", "vssadmin.exe", "robocopy.exe", "xcopy.exe") and
process.args : ("ntds.dit", "*ntds*") and process.args : ("*shadow*", "*dit*")) or
(process.args : ("secretsdump", "drsuapi", "dcsync", "NinjaCopy"))
)
]
| where process.pid != 4Detects NTDS.dit credential extraction via ntdsutil IFM, VSS copy, esentutl, secretsdump, DCSync, and Invoke-NinjaCopy. Sequences process activity within 5 minutes on the same host to correlate multi-step attacks.
Data Sources
Required Tables
False Positives & Tuning
- Active Directory backup software (e.g., Veeam, Windows Server Backup) using ntdsutil IFM for legitimate SYSVOL/NTDS backups during scheduled maintenance
- Domain controller decommission procedures involving authorised ntdsutil operations by sysadmins
- Security tools such as BloodHound or PingCastle performing authorised AD enumeration in approved red team exercises
Other platforms for T1003.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create NTDS IFM Backup via ntdsutil
Expected signal: Sysmon Event ID 1: Process Create for ntdsutil.exe with CommandLine containing 'ac i ntds' and 'create full'. Sysmon Event ID 11: FileCreate for ntds.dit and other database files in C:\AtomicTest_NTDS. Security Event ID 4688 for ntdsutil.exe.
- Test 2Copy NTDS.dit via Volume Shadow Copy
Expected signal: Sysmon Event ID 1: vssadmin.exe with 'create shadow'. Sysmon Event ID 11: FileCreate for atomic_ntds.dit. Sysmon Event ID 1: copy/xcopy/robocopy commands accessing ntds.dit path. System Event Log: VSS service events (8193/8194).
- Test 3DCSync via Mimikatz lsadump::dcsync
Expected signal: Sysmon Event ID 1: Process Create for mimikatz.exe with 'lsadump::dcsync' in CommandLine. Security Event ID 4662 on the DC: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All access rights for the mimikatz-running account. Network Event ID 3 for LDAP connections to DC.
References (6)
- https://attack.mitre.org/techniques/T1003/003/
- https://en.wikipedia.org/wiki/Active_Directory
- http://adsecurity.org/?p=1275
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
- https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/virtualized-domain-controller-architecture
Unlock Pro Content
Get the full detection package for T1003.003 including response playbook, investigation guide, and atomic red team tests.