Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in
%SystemRoot%\NTDS\Ntds.dit of a domain controller.
In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.
The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
Chimera has gathered the SYSTEM registry and ntds.dit files from target systems. Chimera specifically has used the NtdsAudit tool to dump the password hashes of domain users via
Mustang Panda has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file. Mustang Panda has also used
|M1041||Encrypt Sensitive Information||
Ensure Domain Controller backups are properly secured.
Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
|M1026||Privileged Account Management||
Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments that may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. Look for command-lines that invoke attempts to access or copy the NTDS.dit.
Monitor for access or copy of the NTDS.dit.