Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller.(Citation: Wikipedia Active Directory)
In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)
The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1003.003 | NTDS |
Comments
This diagnostic statement protects against NTDS through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| PR.DS-01.01 | Data-at-rest protection | Mitigates | T1003.003 | NTDS |
Comments
This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1003.003 | NTDS |
Comments
This diagnostic statement protects against OS Credential Dumping: NTDS through the use of revocation of keys and key management. Employing key protection strategies for key material used in protection of domain controller backups, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to obtain credentials from NTDS backups.
References
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1003.003 | NTDS |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries via Active Directory domain databases. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1003.003 | NTDS |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries via Active Directory domain databases. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1003.003 | NTDS |
Comments
This diagnostic statement protects against NTDS through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1003.003 | NTDS |
Comments
Google SecOps is able to trigger an alert based on process creations and attacks against the NTDS database on Windows platforms (e.g., execution of "ntdsutil.exe")
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/tree/main/soc_prime_rules/threat_hunting/windows
References
|