T1003.003 Microsoft Sentinel · KQL

Detect NTDS in Microsoft Sentinel

Adversaries extract credentials from the Active Directory domain database NTDS.dit, located at %SystemRoot%\NTDS\Ntds.dit on domain controllers. The file contains all domain user password hashes. Methods include: ntdsutil.exe (used by APT28, Sandworm, Volt Typhoon, LAPSUS$, APT41), Volume Shadow Copy plus copy, esentutl.exe, secretsdump.py, and Invoke-NinjaCopy. The SYSTEM registry hive is also required for decryption. Used by virtually every major threat group and all ransomware operators. Highest-impact credential theft technique — compromises the entire domain at once.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1003 OS Credential Dumping
Sub-technique
T1003.003 NTDS
Canonical reference
https://attack.mitre.org/techniques/T1003/003/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let NtdsutilAccess = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "ntdsutil.exe"
| where ProcessCommandLine has_any (
    "ifm", "install from media", "create full",
    "ac i ntds", "activate instance ntds"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
let SecretsDumpNTDS = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("ntds.dit", "secretsdump", "drsuapi", "dcsync")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
let VSSCopyNTDS = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("cmd.exe", "powershell.exe", "vssadmin.exe", "esentutl.exe", "robocopy.exe", "xcopy.exe")
| where ProcessCommandLine has_all ("ntds", "dit") or ProcessCommandLine has_all ("shadow", "ntds")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
let DCSync = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort == 389 or RemotePort == 636 or RemotePort == 3268
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "python.exe", "python3.exe")
| where InitiatingProcessCommandLine has_any ("dcsync", "drsuapi", "secretsdump")
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine;
union NtdsutilAccess, SecretsDumpNTDS, VSSCopyNTDS, DCSync
| sort by Timestamp desc
critical severity high confidence

Detects NTDS.dit credential extraction via four vectors: (1) ntdsutil.exe with IFM (install from media) commands, (2) secretsdump/DCSync commands, (3) file copy operations targeting ntds.dit via VSS or esentutl, and (4) network connections from scripting interpreters to domain controller LDAP ports with DCSync-related command patterns.

Data Sources

Process: Process CreationNetwork Traffic: Network ConnectionFile: File AccessCommand: Command Execution

Required Tables

DeviceProcessEventsDeviceNetworkEvents

False Positives & Tuning

  • Authorized AD database backups using ntdsutil IFM for RODC provisioning or disaster recovery testing
  • AD synchronization tools (Azure AD Connect, FIM/MIM) using DRSUAPI for legitimate directory synchronization
  • Automated DR testing scripts that create NTDS backups per approved runbooks
  • IT operations using Volume Shadow Copy for routine AD backup (check against authorized backup windows)
Download portable Sigma rule (.yml)

Other platforms for T1003.003

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create NTDS IFM Backup via ntdsutil

    Expected signal: Sysmon Event ID 1: Process Create for ntdsutil.exe with CommandLine containing 'ac i ntds' and 'create full'. Sysmon Event ID 11: FileCreate for ntds.dit and other database files in C:\AtomicTest_NTDS. Security Event ID 4688 for ntdsutil.exe.

  2. Test 2Copy NTDS.dit via Volume Shadow Copy

    Expected signal: Sysmon Event ID 1: vssadmin.exe with 'create shadow'. Sysmon Event ID 11: FileCreate for atomic_ntds.dit. Sysmon Event ID 1: copy/xcopy/robocopy commands accessing ntds.dit path. System Event Log: VSS service events (8193/8194).

  3. Test 3DCSync via Mimikatz lsadump::dcsync

    Expected signal: Sysmon Event ID 1: Process Create for mimikatz.exe with 'lsadump::dcsync' in CommandLine. Security Event ID 4662 on the DC: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All access rights for the mimikatz-running account. Network Event ID 3 for LDAP connections to DC.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1003.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1003OS Credential Dumping

Related Sub-techniques

T1003.001LSASS MemoryT1003.002Security Account ManagerT1003.004LSA SecretsT1003.005Cached Domain CredentialsT1003.006DCSyncT1003.007Proc FilesystemT1003.008/etc/passwd and /etc/shadow

Related Techniques

T1003OS Credential DumpingT1003.001LSASS MemoryT1003.002Security Account ManagerT1550.003Pass the TicketT1007System Service DiscoveryT1490Inhibit System Recovery

Same Tactic: Credential Access

Popular Detections