Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller.(Citation: Wikipedia Active Directory)
In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)
The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1003.003 | NTDS |
Comments
This diagnostic statement protects against NTDS through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| PR.DS-01.01 | Data-at-rest protection | Mitigates | T1003.003 | NTDS |
Comments
This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1003.003 | NTDS |
Comments
This diagnostic statement protects against OS Credential Dumping: NTDS through the use of revocation of keys and key management. Employing key protection strategies for key material used in protection of domain controller backups, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to obtain credentials from NTDS backups.
References
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1003.003 | NTDS |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries via Active Directory domain databases. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1003.003 | NTDS |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries via Active Directory domain databases. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1003.003 | NTDS |
Comments
This diagnostic statement protects against NTDS through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2021-44077 | Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability | secondary_impact | T1003.003 | NTDS |
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
|
| CVE-2021-40539 | Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability | secondary_impact | T1003.003 | NTDS |
Comments
This is an authentication bypass vulnerability that can enable remote code execution.
Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.
References
|
| CVE-2024-24919 | Check Point Quantum Security Gateways Information Disclosure Vulnerability | secondary_impact | T1003.003 | NTDS |
Comments
CVE-2024-24919 is an information disclosure/arbitrary file read vulnerability within Check Point's Quantum Security Gateway products. It's been reported that attacker are leveraging this vulnerability to retrieve, all files on the local file system, read sensitive data and extract credentials for all local accounts, including Active Directory, SSH keys, and certificates.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1003.003 | NTDS |
Comments
Google SecOps is able to trigger an alert based on process creations and attacks against the NTDS database on Windows platforms (e.g., execution of "ntdsutil.exe")
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/tree/main/soc_prime_rules/threat_hunting/windows
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DEF-ID-E5 | Microsoft Defender for Identity | Technique Scores | T1003.003 | NTDS |
Comments
The documentation for this control's "Data exfiltration over SMB (external ID 2030)" alert implies that it may be able to detect the transfer of sensitive data such as the Ntds.dit on monitored domain controllers. This is specific to domain controllers and therefore results in a reduced coverage score.
References
|