Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller.(Citation: Wikipedia Active Directory)
In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)
The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Capture stored data | Capture data stored on system disk | related-to | T1003.003 | OS Credential Dumping: NTDS | |
| action.malware.variety.Password dumper | Password dumper (extract credential hashes) | related-to | T1003.003 | OS Credential Dumping: NTDS | |
| attribute.confidentiality.data_disclosure | None | related-to | T1003.003 | OS Credential Dumping: NTDS |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1003.003 | NTDS |
Comments
Google SecOps is able to trigger an alert based on process creations and attacks against the NTDS database on Windows platforms (e.g., execution of "ntdsutil.exe")
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/tree/main/soc_prime_rules/threat_hunting/windows
References
|