title: NTDS (T1003.003)
id: df00tech-t1003-003
status: experimental
description: "Adversaries extract credentials from the Active Directory domain database NTDS.dit, located at %SystemRoot%\\NTDS\\Ntds.dit on domain controllers. The file contains all domain user password hashes. Methods include: ntdsutil.exe (used by APT28, Sandworm, Volt Typhoon, LAPSUS$, APT41), Volume Shadow Copy plus copy, esentutl.exe, secretsdump.py, and Invoke-NinjaCopy. The SYSTEM registry hive is also required for decryption. Used by virtually every major threat group and all ransomware operators. Highest-impact credential theft technique — compromises the entire domain at once."
references:
  - https://attack.mitre.org/techniques/T1003/003/
  - https://df00tech.com/detections/T1003.003
author: df00tech
date: 2026/04/13
tags:
  - attack.t1003.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Authorized AD database backups using ntdsutil IFM for RODC provisioning or disaster recovery testing
  - "AD synchronization tools (Azure AD Connect, FIM/MIM) using DRSUAPI for legitimate directory synchronization"
  - Automated DR testing scripts that create NTDS backups per approved runbooks
  - IT operations using Volume Shadow Copy for routine AD backup (check against authorized backup windows)
level: critical