T1003.003 IBM QRadar · QRadar

Detect NTDS in IBM QRadar

Adversaries extract credentials from the Active Directory domain database NTDS.dit, located at %SystemRoot%\NTDS\Ntds.dit on domain controllers. The file contains all domain user password hashes. Methods include: ntdsutil.exe (used by APT28, Sandworm, Volt Typhoon, LAPSUS$, APT41), Volume Shadow Copy plus copy, esentutl.exe, secretsdump.py, and Invoke-NinjaCopy. The SYSTEM registry hive is also required for decryption. Used by virtually every major threat group and all ransomware operators. Highest-impact credential theft technique — compromises the entire domain at once.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1003 OS Credential Dumping
Sub-technique
T1003.003 NTDS
Canonical reference
https://attack.mitre.org/techniques/T1003/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "Application" AS process_image,
  "Command" AS commandline,
  CASE
    WHEN LOWER("Application") LIKE '%ntdsutil%' AND (LOWER("Command") LIKE '%ifm%' OR LOWER("Command") LIKE '%install from media%' OR LOWER("Command") LIKE '%ac i ntds%') THEN 'NtdsUtil-IFM'
    WHEN LOWER("Command") LIKE '%secretsdump%' OR LOWER("Command") LIKE '%drsuapi%' THEN 'SecretsDump'
    WHEN LOWER("Command") LIKE '%dcsync%' THEN 'DCSync'
    WHEN LOWER("Application") LIKE '%esentutl%' AND LOWER("Command") LIKE '%ntds%' THEN 'ESENTUtil-Copy'
    WHEN LOWER("Command") LIKE '%ntds.dit%' THEN 'DirectNTDSCopy'
    ELSE 'Unknown'
  END AS dump_method
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    (LOWER("Application") LIKE '%ntdsutil.exe%' AND (
      LOWER("Command") LIKE '%ifm%' OR
      LOWER("Command") LIKE '%install from media%' OR
      LOWER("Command") LIKE '%create full%' OR
      LOWER("Command") LIKE '%ac i ntds%'
    )) OR
    LOWER("Command") LIKE '%ntds.dit%' OR
    LOWER("Command") LIKE '%secretsdump%' OR
    LOWER("Command") LIKE '%drsuapi%' OR
    LOWER("Command") LIKE '%dcsync%' OR
    LOWER("Command") LIKE '%ninja%copy%' OR
    (LOWER("Application") LIKE '%esentutl.exe%' AND LOWER("Command") LIKE '%ntds%')
  )
  AND devicetime > NOW() - 1 HOURS
ORDER BY devicetime DESC
LAST 10000
critical severity medium confidence

Detects NTDS.dit credential dumping techniques on domain controllers using Windows Security Event Log and Sysmon sources. Identifies ntdsutil IFM, secretsdump, DCSync, esentutl-based copying, and direct NTDS.dit file access via process command line analysis.

Data Sources

Microsoft Windows Security Event Log (QRadar DSM)Sysmon via Windows Event Log DSMMicrosoft Active Directory

Required Tables

events

False Positives & Tuning

  • Authorised Active Directory backup utilities invoking ntdsutil IFM as part of scheduled backup jobs
  • Domain controller promotion/demotion procedures that reference NTDS.dit in administrative scripts
  • IT automation tools (Ansible, SCCM) running AD health checks that inspect NTDS paths
Download portable Sigma rule (.yml)

Other platforms for T1003.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create NTDS IFM Backup via ntdsutil

    Expected signal: Sysmon Event ID 1: Process Create for ntdsutil.exe with CommandLine containing 'ac i ntds' and 'create full'. Sysmon Event ID 11: FileCreate for ntds.dit and other database files in C:\AtomicTest_NTDS. Security Event ID 4688 for ntdsutil.exe.

  2. Test 2Copy NTDS.dit via Volume Shadow Copy

    Expected signal: Sysmon Event ID 1: vssadmin.exe with 'create shadow'. Sysmon Event ID 11: FileCreate for atomic_ntds.dit. Sysmon Event ID 1: copy/xcopy/robocopy commands accessing ntds.dit path. System Event Log: VSS service events (8193/8194).

  3. Test 3DCSync via Mimikatz lsadump::dcsync

    Expected signal: Sysmon Event ID 1: Process Create for mimikatz.exe with 'lsadump::dcsync' in CommandLine. Security Event ID 4662 on the DC: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All access rights for the mimikatz-running account. Network Event ID 3 for LDAP connections to DC.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1003.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1003OS Credential Dumping

Related Sub-techniques

T1003.001LSASS MemoryT1003.002Security Account ManagerT1003.004LSA SecretsT1003.005Cached Domain CredentialsT1003.006DCSyncT1003.007Proc FilesystemT1003.008/etc/passwd and /etc/shadow

Related Techniques

T1003OS Credential DumpingT1003.001LSASS MemoryT1003.002Security Account ManagerT1550.003Pass the TicketT1007System Service DiscoveryT1490Inhibit System Recovery

Same Tactic: Credential Access

Popular Detections