T1003.003 CrowdStrike LogScale · LogScale

Detect NTDS in CrowdStrike LogScale

Adversaries extract credentials from the Active Directory domain database NTDS.dit, located at %SystemRoot%\NTDS\Ntds.dit on domain controllers. The file contains all domain user password hashes. Methods include: ntdsutil.exe (used by APT28, Sandworm, Volt Typhoon, LAPSUS$, APT41), Volume Shadow Copy plus copy, esentutl.exe, secretsdump.py, and Invoke-NinjaCopy. The SYSTEM registry hive is also required for decryption. Used by virtually every major threat group and all ransomware operators. Highest-impact credential theft technique — compromises the entire domain at once.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1003 OS Credential Dumping
Sub-technique
T1003.003 NTDS
Canonical reference
https://attack.mitre.org/techniques/T1003/003/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = ProcessRollup2
| ImageFileName = /(?i)(ntdsutil|secretsdump|esentutl)\.exe$/ OR CommandLine = /(?i)(ntds\.dit|secretsdump|drsuapi|dcsync|ninja.?copy|ifm|install from media|create full|ac i ntds|activate instance ntds)/
| eval DumpMethod = case(
    ImageFileName = /(?i)ntdsutil/ AND CommandLine = /(?i)(ifm|install from media|create full|ac i ntds)/, "NtdsUtil-IFM",
    CommandLine = /(?i)(secretsdump|drsuapi)/, "SecretsDump",
    CommandLine = /(?i)dcsync/, "DCSync",
    ImageFileName = /(?i)esentutl/ AND CommandLine = /(?i)(ntds|shadow)/, "ESENTUtil-Copy",
    CommandLine = /(?i)ninja.?copy/, "NinjaCopy",
    CommandLine = /(?i)ntds\.dit/, "DirectNTDSCopy",
    true(), "Other"
  )
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, DumpMethod], function=[count(as=EventCount), max(ContextTimeStamp, as=LastSeen), min(ContextTimeStamp, as=FirstSeen)])
| sort LastSeen desc
| select ComputerName, UserName, ImageFileName, CommandLine, DumpMethod, EventCount, FirstSeen, LastSeen
critical severity high confidence

Detects NTDS.dit credential dumping on Windows domain controllers using CrowdStrike Falcon ProcessRollup2 events. Identifies ntdsutil IFM operations, secretsdump/drsuapi usage, DCSync execution, esentutl-based NTDS extraction, and Invoke-NinjaCopy by analysing process image names and full command lines. Groups results by host and method for efficient triage.

Data Sources

CrowdStrike Falcon Endpoint Protection (ProcessRollup2 events)CrowdStrike Falcon LogScale (Humio) data pipelineFalcon Insight XDR telemetry

Required Tables

ProcessRollup2

False Positives & Tuning

  • CrowdStrike Falcon sensor itself or Windows Defender performing authorised NTDS health checks
  • Active Directory backup agents (Veeam, CommVault) invoking ntdsutil for scheduled DC backups
  • Domain controller promotion workflows executed by authorised AD administrators during change windows
Download portable Sigma rule (.yml)

Other platforms for T1003.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create NTDS IFM Backup via ntdsutil

    Expected signal: Sysmon Event ID 1: Process Create for ntdsutil.exe with CommandLine containing 'ac i ntds' and 'create full'. Sysmon Event ID 11: FileCreate for ntds.dit and other database files in C:\AtomicTest_NTDS. Security Event ID 4688 for ntdsutil.exe.

  2. Test 2Copy NTDS.dit via Volume Shadow Copy

    Expected signal: Sysmon Event ID 1: vssadmin.exe with 'create shadow'. Sysmon Event ID 11: FileCreate for atomic_ntds.dit. Sysmon Event ID 1: copy/xcopy/robocopy commands accessing ntds.dit path. System Event Log: VSS service events (8193/8194).

  3. Test 3DCSync via Mimikatz lsadump::dcsync

    Expected signal: Sysmon Event ID 1: Process Create for mimikatz.exe with 'lsadump::dcsync' in CommandLine. Security Event ID 4662 on the DC: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All access rights for the mimikatz-running account. Network Event ID 3 for LDAP connections to DC.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1003.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1003OS Credential Dumping

Related Sub-techniques

T1003.001LSASS MemoryT1003.002Security Account ManagerT1003.004LSA SecretsT1003.005Cached Domain CredentialsT1003.006DCSyncT1003.007Proc FilesystemT1003.008/etc/passwd and /etc/shadow

Related Techniques

T1003OS Credential DumpingT1003.001LSASS MemoryT1003.002Security Account ManagerT1550.003Pass the TicketT1007System Service DiscoveryT1490Inhibit System Recovery

Same Tactic: Credential Access

Popular Detections