T1003.003 NTDS Mappings

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller.(Citation: Wikipedia Active Directory)

In addition to looking for NTDS files on active Domain Controllers, attackers may search for backups that contain the same or similar information.(Citation: Metcalf 2015)

The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.

  • Volume Shadow Copy
  • secretsdump.py
  • Using the in-built Windows tool, ntdsutil.exe
  • Invoke-NinjaCopy
View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-16 Security and Privacy Attributes Protects T1003.003 NTDS
AC-2 Account Management Protects T1003.003 NTDS
AC-3 Access Enforcement Protects T1003.003 NTDS
AC-5 Separation of Duties Protects T1003.003 NTDS
AC-6 Least Privilege Protects T1003.003 NTDS
CA-7 Continuous Monitoring Protects T1003.003 NTDS
CM-2 Baseline Configuration Protects T1003.003 NTDS
CM-5 Access Restrictions for Change Protects T1003.003 NTDS
CM-6 Configuration Settings Protects T1003.003 NTDS
CP-9 System Backup Protects T1003.003 NTDS
IA-2 Identification and Authentication (organizational Users) Protects T1003.003 NTDS
IA-5 Authenticator Management Protects T1003.003 NTDS
SC-28 Protection of Information at Rest Protects T1003.003 NTDS
SC-39 Process Isolation Protects T1003.003 NTDS
SI-12 Information Management and Retention Protects T1003.003 NTDS
SI-3 Malicious Code Protection Protects T1003.003 NTDS
SI-4 System Monitoring Protects T1003.003 NTDS
SI-7 Software, Firmware, and Information Integrity Protects T1003.003 NTDS
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1003.003 OS Credential Dumping: NTDS
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003.003 OS Credential Dumping: NTDS