Home
ATT&CK Techniques
T1003.003 NTDS

T1003.003 NTDS Mappings

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller.(Citation: Wikipedia Active Directory)

In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)

The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.

Volume Shadow Copy
secretsdump.py
Using the in-built Windows tool, ntdsutil.exe
Invoke-NinjaCopy

View in MITRE ATT&CK®

Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
AC-16	Security and Privacy Attributes	Protects	T1003.003	NTDS
AC-02	Account Management	Protects	T1003.003	NTDS
AC-03	Access Enforcement	Protects	T1003.003	NTDS
AC-05	Separation of Duties	Protects	T1003.003	NTDS
AC-06	Least Privilege	Protects	T1003.003	NTDS
CA-07	Continuous Monitoring	Protects	T1003.003	NTDS
CM-02	Baseline Configuration	Protects	T1003.003	NTDS
CM-05	Access Restrictions for Change	Protects	T1003.003	NTDS
CM-06	Configuration Settings	Protects	T1003.003	NTDS
CP-09	System Backup	Protects	T1003.003	NTDS
IA-02	Identification and Authentication (organizational Users)	Protects	T1003.003	NTDS
IA-05	Authenticator Management	Protects	T1003.003	NTDS
SC-28	Protection of Information at Rest	Protects	T1003.003	NTDS
SC-39	Process Isolation	Protects	T1003.003	NTDS
SI-12	Information Management and Retention	Protects	T1003.003	NTDS
SI-03	Malicious Code Protection	Protects	T1003.003	NTDS
SI-04	System Monitoring	Protects	T1003.003	NTDS
SI-07	Software, Firmware, and Information Integrity	Protects	T1003.003	NTDS