T1003.003 Sumo Logic CSE · Sumo

Detect NTDS in Sumo Logic CSE

Adversaries extract credentials from the Active Directory domain database NTDS.dit, located at %SystemRoot%\NTDS\Ntds.dit on domain controllers. The file contains all domain user password hashes. Methods include: ntdsutil.exe (used by APT28, Sandworm, Volt Typhoon, LAPSUS$, APT41), Volume Shadow Copy plus copy, esentutl.exe, secretsdump.py, and Invoke-NinjaCopy. The SYSTEM registry hive is also required for decryption. Used by virtually every major threat group and all ransomware operators. Highest-impact credential theft technique — compromises the entire domain at once.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1003 OS Credential Dumping
Sub-technique
T1003.003 NTDS
Canonical reference
https://attack.mitre.org/techniques/T1003/003/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory="Windows/EventLogs" OR _sourceCategory="Sysmon"
| where EventID = "1" OR EventID = "4688"
| json field=_raw "EventData.Image" as process_image nodrop
| json field=_raw "EventData.CommandLine" as commandline nodrop
| json field=_raw "EventData.User" as username nodrop
| json field=_raw "EventData.Computer" as hostname nodrop
| where (
    (matches(toLowerCase(process_image), "*ntdsutil.exe*") and (
      matches(toLowerCase(commandline), "*ifm*") or
      matches(toLowerCase(commandline), "*install from media*") or
      matches(toLowerCase(commandline), "*create full*") or
      matches(toLowerCase(commandline), "*ac i ntds*") or
      matches(toLowerCase(commandline), "*activate instance ntds*")
    )) or
    matches(toLowerCase(commandline), "*ntds.dit*") or
    matches(toLowerCase(commandline), "*secretsdump*") or
    matches(toLowerCase(commandline), "*drsuapi*") or
    matches(toLowerCase(commandline), "*dcsync*") or
    matches(toLowerCase(commandline), "*ninja*copy*") or
    (matches(toLowerCase(process_image), "*esentutl.exe*") and (
      matches(toLowerCase(commandline), "*ntds*") or
      matches(toLowerCase(commandline), "*shadow*")
    ))
  )
| eval dump_method = if(matches(toLowerCase(process_image), "*ntdsutil*"), "NtdsUtil-IFM",
    if(matches(toLowerCase(commandline), "*secretsdump*") or matches(toLowerCase(commandline), "*drsuapi*"), "SecretsDump",
    if(matches(toLowerCase(commandline), "*dcsync*"), "DCSync",
    if(matches(toLowerCase(process_image), "*esentutl*"), "ESENTUtil-Copy",
    if(matches(toLowerCase(commandline), "*ntds.dit*"), "DirectCopy", "Other")))))
| fields _messagetime, hostname, username, process_image, commandline, dump_method
| sort by _messagetime desc
critical severity medium confidence

Detects NTDS.dit credential extraction attempts on Windows domain controllers by analysing Sysmon Event ID 1 and Windows Security Event ID 4688 process creation logs. Identifies ntdsutil IFM, VSS-based copies, secretsdump, DCSync, and esentutl extraction methods.

Data Sources

Sumo Logic Windows Event Log Source (Sysmon)Sumo Logic Windows Event Log Source (Security)Sumo Logic Installed Collector on domain controllers

Required Tables

_sourceCategory=Windows/EventLogs_sourceCategory=Sysmon

False Positives & Tuning

  • Scheduled backup jobs on domain controllers using ntdsutil IFM for authorised AD backups
  • Domain controller cloning or virtualisation snapshots referencing NTDS.dit paths
  • Security health-check scripts referencing NTDS.dit for integrity verification
Download portable Sigma rule (.yml)

Other platforms for T1003.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create NTDS IFM Backup via ntdsutil

    Expected signal: Sysmon Event ID 1: Process Create for ntdsutil.exe with CommandLine containing 'ac i ntds' and 'create full'. Sysmon Event ID 11: FileCreate for ntds.dit and other database files in C:\AtomicTest_NTDS. Security Event ID 4688 for ntdsutil.exe.

  2. Test 2Copy NTDS.dit via Volume Shadow Copy

    Expected signal: Sysmon Event ID 1: vssadmin.exe with 'create shadow'. Sysmon Event ID 11: FileCreate for atomic_ntds.dit. Sysmon Event ID 1: copy/xcopy/robocopy commands accessing ntds.dit path. System Event Log: VSS service events (8193/8194).

  3. Test 3DCSync via Mimikatz lsadump::dcsync

    Expected signal: Sysmon Event ID 1: Process Create for mimikatz.exe with 'lsadump::dcsync' in CommandLine. Security Event ID 4662 on the DC: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All access rights for the mimikatz-running account. Network Event ID 3 for LDAP connections to DC.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1003.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1003OS Credential Dumping

Related Sub-techniques

T1003.001LSASS MemoryT1003.002Security Account ManagerT1003.004LSA SecretsT1003.005Cached Domain CredentialsT1003.006DCSyncT1003.007Proc FilesystemT1003.008/etc/passwd and /etc/shadow

Related Techniques

T1003OS Credential DumpingT1003.001LSASS MemoryT1003.002Security Account ManagerT1550.003Pass the TicketT1007System Service DiscoveryT1490Inhibit System Recovery

Same Tactic: Credential Access

Popular Detections