Keypoints
- NTDS.dit contains domain account hashes and metadata; exfiltrating it yields many credentials at once.
- Attackers use Volume Shadow Copy to get consistent copies without taking the DC offline.
- Built-in tools like ntdsutil.exe and legitimate sysadmin utilities are abused for copying NTDS.dit.
- Tools like secretsdump.py and Invoke-NinjaCopy automate extraction and hash dumping from NTDS.dit.
- Monitoring command lines, file access on %SystemRoot%NTDS, and shadow-copy creation improves detection.
Description:
- Like a thief copying the master key ring from a building managerβs safe, stealing NTDS.dit gives attackers keys to unlock nearly every door in a network.
- Adversaries copy or enumerate the Active Directory database (NTDS.dit) or backups using shadow copies, built-in utilities, or dumpers to obtain hashed credentials and directory metadata, enabling credential replay, lateral movement, and domain persistence.
Detection:
- Alert on creation of Volume Shadow Copies on domain controllers outside scheduled backups. Use built-in events (VSS) and backup software logs to correlate.
- Monitor process execution and command-line arguments for ntdsutil.exe, vssadmin, wbadmin, ntbackup, and PowerShell commands like Invoke-NinjaCopy; log Sysmon ProcessCreate and command lines.
- Detect use of secretsdump.py or other Python dumpers by monitoring unusual Python executions on domain controllers and by restricting Python usage on DCs.
- Log and alert on file access to %SystemRoot%NTDSNtds.dit and related log/journal files; capture File Access events via Sysmon/EDR with enhanced auditing.
- Watch for copies of NTDS.dit stored outside expected backup locations, and alert on large reads of AD database files. Use DLP and EDR to block or quarantine such transfers.
- Correlate unusual service account usage, privileged ticket requests, or sudden exports of directory metadata with NTDS access attempts to reduce false positives.
- Harden by restricting local admin on DCs, enforcing LAPS/Privileged Access Workstations, enabling protected process light for LSASS where possible, and require multi-factor and Just-In-Time for privileged actions; document normal admin workflows to reduce alert fatigue.
Tactics:
Credential Access
Platforms:
Windows
Data Sources:
Command: Command Execution, File: File Access
Relationship Citations:
(Citation: US-CERT TA18-074A),(Citation: Core Security Impacket),(Citation: Secureworks BRONZE PRESIDENT December 2019),(Citation: Volexity UPSTYLE 2024),(Citation: Microsoft Volt Typhoon May 2023),(Citation: LOLBAS Esentutl),(Citation: Rostovcev APT41 2021),(Citation: Volexity Ivanti Zero-Day Exploitation January 2024),(Citation: NCC Group Chimera January 2021),(Citation: Volexity Exchange Marauder March 2021),(Citation: Sygnia Elephant Beetle Jan 2022),(Citation: Nearest Neighbor Volexity),(Citation: Symantec Cicada November 2020),(Citation: Mandiant FIN12 Oct 2021),(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023),(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021),(Citation: Microsoft NICKEL December 2021),(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024),(Citation: MSTIC Octo Tempest Operations October 2023),(Citation: FireEye KEGTAP SINGLEMALT October 2020),(Citation: FireEye FIN6 April 2016),(Citation: Github Koadic),(Citation: Impacket Tools),(Citation: Cary Esentutl),(Citation: Secureworks BRONZE SILHOUETTE May 2023),(Citation: CME Github September 2018),(Citation: Microsoft Prestige ransomware October 2022),(Citation: CISA AA20-259A Iran-Based Actor September 2020),(Citation: MSTIC DEV-0537 Mar 2022),(Citation: FireEye FIN6 Apr 2019),(Citation: Microsoft Silk Typhoon MAR 2025),(Citation: Cycraft Chimera April 2020),(Citation: Metcalf 2015)