OS Credential Dumping: NTDS

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.[1]

In addition to looking for NTDS files on active Domain Controllers, attackers may search for backups that contain the same or similar information.[2]

The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.

  • Volume Shadow Copy
  • secretsdump.py
  • Using the in-built Windows tool, ntdsutil.exe
  • Invoke-NinjaCopy
ID: T1003.003
Sub-technique of:  T1003
Platforms: Windows
System Requirements: Access to Domain Controller or backup
Permissions Required: Administrator
Data Sources: Command: Command Execution, File: File Access
Contributors: Ed Williams, Trustwave, SpiderLabs
Version: 1.0
Created: 11 February 2020
Last Modified: 14 December 2020

Procedure Examples

ID Name Description
G0114 Chimera

Chimera has gathered the SYSTEM registry and ntds.dit files from target systems.[3] Chimera specifically has used the NtdsAudit tool to dump the password hashes of domain users via cmsadcs.exe "NTDS.dit" -s "SYSTEM" -p RecordedTV_pdmp.txt --users-csv RecordedTV_users.csv and used ntdsutil to copy the Active Directory database.[4]

S0488 CrackMapExec

CrackMapExec can dump hashed passwords associated with Active Directory using Windows' Directory Replication Services API (DRSUAPI), or Volume Shadow Copy.[5]

G0074 Dragonfly 2.0

Dragonfly 2.0 dropped and executed SecretsDump to dump password hashes. They also obtained ntds.dit from domain controllers. [6][7][8]

S0404 esentutl

esentutl can use Volume Shadow Copy to copy locked files such as ntds.dit.[9][10]

G0037 FIN6

FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.[11][12]

G0117 Fox Kitten

Fox Kitten has used Volume Shadow Copy to access credential information from NTDS.[13]

G0125 HAFNIUM

HAFNIUM has stolen copies of the Active Directory database (NTDS.DIT).[14]

S0357 Impacket

SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information from NTDS.dit.[15]

S0250 Koadic

Koadic can gather hashed passwords by gathering domain controller hashes from NTDS.[16]

G0045 menuPass

menuPass has used Ntdsutil to dump credentials.[17]

G0129 Mustang Panda

Mustang Panda has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file. Mustang Panda has also used reg save on the SYSTEM file Registry location to help extract the NTDS.dit file.[18]

G0102 Wizard Spider

Wizard Spider has gained access to credentials via exported copies of the ntds.dit Active Directory database.[19]

Mitigations

ID Mitigation Description
M1041 Encrypt Sensitive Information

Ensure Domain Controller backups are properly secured.[2]

M1027 Password Policies

Ensure that local administrator accounts have complex, unique passwords across all systems on the network.

M1026 Privileged Account Management

Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.

M1017 User Training

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

Detection

Monitor processes and command-line arguments for program execution that may be indicative of credential dumping, especially attempts to access or copy the NTDS.dit.

References