T1003.003: NTDS
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit
of a domain controller.
In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.
The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
- Volume Shadow Copy
- secretsdump.py
- Using the in-built Windows tool, ntdsutil.exe
- Invoke-NinjaCopy
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_cred_access: PT-CR-600: Esentutil_Copy_File: The "esentutil" utility is started mitre_attck_cred_access: PT-CR-298: Access_System_Credential_Files_Via_Cmdline: An attempt to retrieve OS user credentials is detected mitre_attck_cred_access: PT-CR-1851: Symbolic_Link_To_Shadow_Copy_Created: Attackers can create symbolic links to Windows shadow copies to access files in these links, for example, ntds.dit mitre_attck_cred_access: PT-CR-766: DRSUAPI_User_Enumeration: An attempt to enumerate users using DRSUAPI is detected hacking_tools: PT-CR-585: Impacket_Secretsdump: Use of Impacket Secretsdump is detected
Detection
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. Look for command-lines that invoke attempts to access or copy the NTDS.dit. Note: Events 4688 (Microsoft Windows Security Auditing) and 1 (Microsoft Windows Sysmon) provide context of commands and parameters being executed via creation of a new process. Event 800 (PowerShell) provides context of commands and parameters being executed via PowerShell. This detection is based on known Windows utilities commands and parameters that can be used to copy the ntds.dit file. It is recommended to keep the list of commands and parameters up to date. Analytic 1 - Command line attempt to access or create a copy of ntds.dit file
|
---|
ID | DS0022 | Data source and component | File: File Access | Description | Monitor for access or copy of the NTDS.dit. Note: Events 4656 and 4663 (Microsoft Windows Security Auditing) provide context of processes and users requesting access or accessing file objects (ObjectType = File) such as C:\Windows\NTDS\ntds.dit. It is important to note that, in order to generate these events, a System Access Control List (SACL) must be defined for the ntds.dit file. Access rights that allow read operations on file objects and its attributes are %%4416 Read file data, %%4419 Read extended file attributes, %%4423 Read file attributes. If you search for just the name of the file and not the entire directory, you may get access events related to the ntds.dit file within a snapshot or volume shadow copy. Events 4656 and 4663 (Microsoft Windows Security Auditing) provide context of processes and users creating or copying file objects (ObjectType = File) such as C:\Windows\NTDS\ntds.dit. It is important to note that, in order to generate these events, a System Access Control List (SACL) must be defined for the ntds.dit file. In order to filter file creation events, filter access rigths %%4417 Write data to the file and %%4424 Write file attributes. Event 11 (Microsoft Windows Sysmon) provide context of processes and users creating or copying files. Unfortunately, this event provides context of the file being created or copied, but not the file being copied. A good starting point would be to look for new files created or copied with extension .dit. Analytic 1 - Active Directory Dumping via NTDSUtil
|
---|
Mitigation
ID | M1027 | Name | Password Policies | Description | Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
---|
ID | M1041 | Name | Encrypt Sensitive Information | Description | Ensure Domain Controller backups are properly secured. |
---|
ID | M1026 | Name | Privileged Account Management | Description | Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. |
---|
ID | M1017 | Name | User Training | Description | Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
---|