Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
TECHNIQUES
Enterprise
Reconnaissance
Active Scanning
Gather Victim Host Information
Gather Victim Identity Information
Gather Victim Network Information
Gather Victim Org Information
Phishing for Information
Search Closed Sources
Search Open Technical Databases
Search Open Websites/Domains
Resource Development
Acquire Infrastructure
Compromise Accounts
Compromise Infrastructure
Develop Capabilities
Establish Accounts
Obtain Capabilities
Initial Access
Phishing
Supply Chain Compromise
Valid Accounts
Execution
Command and Scripting Interpreter
Inter-Process Communication
Scheduled Task/Job
System Services
User Execution
Persistence
Account Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create Account
Create or Modify System Process
Event Triggered Execution
Hijack Execution Flow
Office Application Startup
Pre-OS Boot
Scheduled Task/Job
Server Software Component
Traffic Signaling
Valid Accounts
Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create or Modify System Process
Domain Policy Modification
Event Triggered Execution
Hijack Execution Flow
Process Injection
Scheduled Task/Job
Valid Accounts
Defense Evasion
Abuse Elevation Control Mechanism
Access Token Manipulation
Domain Policy Modification
Execution Guardrails
File and Directory Permissions Modification
Hide Artifacts
Hijack Execution Flow
Impair Defenses
Indicator Removal on Host
Masquerading
Modify Authentication Process
Modify Cloud Compute Infrastructure
Modify System Image
Network Boundary Bridging
Obfuscated Files or Information
Pre-OS Boot
Process Injection
Signed Binary Proxy Execution
Signed Script Proxy Execution
Subvert Trust Controls
Traffic Signaling
Trusted Developer Utilities Proxy Execution
Use Alternate Authentication Material
Valid Accounts
Virtualization/Sandbox Evasion
Weaken Encryption
Credential Access
Brute Force
Credentials from Password Stores
Forge Web Credentials
Input Capture
Man-in-the-Middle
Modify Authentication Process
OS Credential Dumping
Steal or Forge Kerberos Tickets
Unsecured Credentials
Discovery
Account Discovery
Permission Groups Discovery
Software Discovery
Virtualization/Sandbox Evasion
Lateral Movement
Remote Service Session Hijacking
Remote Services
Use Alternate Authentication Material
Collection
Archive Collected Data
Data from Configuration Repository
Data from Information Repositories
Data Staged
Email Collection
Input Capture
Man-in-the-Middle
Command and Control
Application Layer Protocol
Data Encoding
Data Obfuscation
Dynamic Resolution
Encrypted Channel
Proxy
Traffic Signaling
Web Service
Exfiltration
Automated Exfiltration
Exfiltration Over Alternative Protocol
Exfiltration Over Other Network Medium
Exfiltration Over Physical Medium
Exfiltration Over Web Service
Impact
Data Manipulation
Defacement
Disk Wipe
Endpoint Denial of Service
Network Denial of Service
Mobile
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
Network Effects
Remote Service Effects
  1. Home
  2. Techniques
  3. Enterprise
  4. OS Credential Dumping
  5. NTDS

OS Credential Dumping: NTDS

ID Name
T1003.001 LSASS Memory
T1003.002 Security Account Manager
T1003.003 NTDS
T1003.004 LSA Secrets
T1003.005 Cached Domain Credentials
T1003.006 DCSync
T1003.007 Proc Filesystem
T1003.008 /etc/passwd and /etc/shadow

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.[1]

In addition to looking NTDS files on active Domain Controllers, attackers may search for backups that contain the same or similar information.[2]

The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.

  • Volume Shadow Copy
  • secretsdump.py
  • Using the in-built Windows tool, ntdsutil.exe
  • Invoke-NinjaCopy
ID: T1003.003
Sub-technique of:  T1003
Tactic: Credential Access
Platforms: Windows
System Requirements: Access to Domain Controller or backup
Permissions Required: Administrator
Data Sources: PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Contributors: Ed Williams, Trustwave, SpiderLabs
Version: 1.0
Created: 11 February 2020
Last Modified: 24 March 2020

Procedure Examples

Name Description
Chimera

Chimera has gathered the SYSTEM registry and ntds.dit files from target systems.[3]
CrackMapExec

CrackMapExec can dump hashed passwords associated with Active Directory using Windows' Directory Replication Services API (DRSUAPI), or Volume Shadow Copy.[4]
Dragonfly 2.0

Dragonfly 2.0 dropped and executed SecretsDump to dump password hashes. They also obtained ntds.dit from domain controllers. [5][6][7]
esentutl

esentutl can use Volume Shadow Copy to copy locked files such as ntds.dit.[8][9]
FIN6

FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.[10][11]

Impacket

SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information from NTDS.dit.[12]
Koadic

Koadic can gather hashed passwords by gathering domain controller hashes from NTDS.[13]
Wizard Spider

Wizard Spider has gained access to credentials via exported copies of the ntds.dit Active Directory database.[14]

Mitigations

Mitigation Description
Encrypt Sensitive Information

Ensure Domain Controller backups are properly secured.[2]
Password Policies

Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
Privileged Account Management

Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.
User Training

Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

Detection

Monitor processes and command-line arguments for program execution that may be indicative of credential dumping, especially attempts to access or copy the NTDS.dit.

References

  1. Wikipedia. (2018, March 10). Active Directory. Retrieved April 11, 2018.
  2. Metcalf, S. (2015, January 19). Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest. Retrieved February 3, 2015.
  3. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.
  4. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
  5. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  6. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  7. Core Security. (n.d.). Impacket. Retrieved November 2, 2017.
  1. LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.
  2. Cary, M.. (2018, December 6). Locked File Access Using ESENTUTL.exe. Retrieved September 5, 2019.
  3. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  4. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  5. SecureAuth. (n.d.). Retrieved January 15, 2019.
  6. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  7. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.