Detect NTDS in Splunk
Adversaries extract credentials from the Active Directory domain database NTDS.dit, located at %SystemRoot%\NTDS\Ntds.dit on domain controllers. The file contains all domain user password hashes. Methods include: ntdsutil.exe (used by APT28, Sandworm, Volt Typhoon, LAPSUS$, APT41), Volume Shadow Copy plus copy, esentutl.exe, secretsdump.py, and Invoke-NinjaCopy. The SYSTEM registry hive is also required for decryption. Used by virtually every major threat group and all ransomware operators. Highest-impact credential theft technique — compromises the entire domain at once.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1003 OS Credential Dumping
- Sub-technique
- T1003.003 NTDS
- Canonical reference
- https://attack.mitre.org/techniques/T1003/003/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval IsNTDSDump=case(
match(lower(Image), "ntdsutil\.exe") AND match(lower(CommandLine), "(ifm|install from media|create full|ac i ntds)"), 1,
match(lower(CommandLine), "ntds\.dit"), 1,
match(lower(CommandLine), "(secretsdump|drsuapi|dcsync|ninja.?copy)"), 1,
match(lower(Image), "esentutl\.exe") AND match(lower(CommandLine), "(ntds|shadow)"), 1,
1==1, 0
)
| where IsNTDSDump=1
| eval DumpMethod=case(
match(lower(Image), "ntdsutil"), "NtdsUtil-IFM",
match(lower(CommandLine), "secretsdump|drsuapi"), "SecretsDump",
match(lower(CommandLine), "dcsync"), "DCSync",
match(lower(Image), "esentutl"), "ESENTUtil",
match(lower(CommandLine), "ntds.dit"), "DirectCopy",
1==1, "Other"
)
| table _time, host, Image, CommandLine, User, DumpMethod
| sort - _timeDetects NTDS.dit extraction using Sysmon Event ID 1. Identifies ntdsutil IFM commands, direct ntds.dit file access, secretsdump/DCSync tooling, and esentutl NTDS operations. DumpMethod field categorizes the attack vector for analyst triage.
Data Sources
Required Sourcetypes
False Positives & Tuning
- ntdsutil IFM used during authorized RODC installation or AD recovery testing
- Azure AD Connect DirSync using DRSUAPI for password hash synchronization
- Authorized domain controller cloning operations that create NTDS.dit backups
- Backup agents with SYSTEM privilege accessing NTDS via VSS
Other platforms for T1003.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create NTDS IFM Backup via ntdsutil
Expected signal: Sysmon Event ID 1: Process Create for ntdsutil.exe with CommandLine containing 'ac i ntds' and 'create full'. Sysmon Event ID 11: FileCreate for ntds.dit and other database files in C:\AtomicTest_NTDS. Security Event ID 4688 for ntdsutil.exe.
- Test 2Copy NTDS.dit via Volume Shadow Copy
Expected signal: Sysmon Event ID 1: vssadmin.exe with 'create shadow'. Sysmon Event ID 11: FileCreate for atomic_ntds.dit. Sysmon Event ID 1: copy/xcopy/robocopy commands accessing ntds.dit path. System Event Log: VSS service events (8193/8194).
- Test 3DCSync via Mimikatz lsadump::dcsync
Expected signal: Sysmon Event ID 1: Process Create for mimikatz.exe with 'lsadump::dcsync' in CommandLine. Security Event ID 4662 on the DC: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All access rights for the mimikatz-running account. Network Event ID 3 for LDAP connections to DC.
References (6)
- https://attack.mitre.org/techniques/T1003/003/
- https://en.wikipedia.org/wiki/Active_Directory
- http://adsecurity.org/?p=1275
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
- https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/virtualized-domain-controller-architecture
Unlock Pro Content
Get the full detection package for T1003.003 including response playbook, investigation guide, and atomic red team tests.