NTDS (T1003.003)

Information

• Name: NTDS

• ID: T1003.003

• Tactics:

• Technique:

Introduction

The NTDS (NT Directory Services) technique () is a sub-technique within the MITRE ATT&CK framework categorized under credential dumping. Attackers leverage this method to extract hashed and plaintext credentials from the NTDS.dit database file, which is the Active Directory (AD) database storing critical user authentication information. Extracting credentials from NTDS.dit allows attackers to escalate privileges, move laterally within networks, and maintain persistent access to compromised environments.

Deep Dive Into Technique

The NTDS.dit file is a critical database used by Active Directory Domain Controllers to store sensitive information such as usernames, password hashes, group memberships, and other authentication-related data. Specifically, attackers target this database to retrieve password hashes, Kerberos keys, and other sensitive credential information.

Attackers typically execute this sub-technique using one or more of the following methods:

• Volume Shadow Copy (VSS):

  • Attackers create a Volume Shadow Copy of the NTDS.dit file to bypass file locks set by Windows.

  • Tools such as vssadmin, diskshadow, or wmic are commonly used for shadow copy creation.

  • Once a shadow copy is created, attackers copy the NTDS.dit file and the SYSTEM registry hive (required for decrypting password hashes) to another location for offline analysis.

• Direct Extraction with Tools:

  • Attackers may use tools like Ntdsutil.exe (native Windows utility), secretsdump.py (from Impacket), or Mimikatz to directly extract credentials from NTDS.dit.

  • These tools parse the NTDS.dit database offline and extract password hashes, Kerberos keys, and other sensitive data.

• Exfiltration and Offline Analysis:

  • Attackers often exfiltrate the NTDS.dit file and SYSTEM registry hive to external locations for offline analysis.

  • Offline extraction reduces the risk of detection and allows attackers to carefully analyze and crack password hashes at their convenience.

Technical components involved in this sub-technique:

• NTDS.dit: Active Directory database file located in %SystemRoot%\NTDS\NTDS.dit.

• SYSTEM Registry Hive: Located at %SystemRoot%\System32\Config\SYSTEM, contains encryption keys necessary to decrypt the NTDS database.

• Volume Shadow Copy Service (VSS): Windows service leveraged to bypass file locks on NTDS.dit.

When this Technique is Usually Used

This sub-technique commonly appears in various attack scenarios and stages, including:

• Privilege Escalation:

  • Attackers use NTDS credential dumping to escalate privileges from initial compromised accounts to domain administrator or other high-privileged accounts.

• Credential Access and Lateral Movement:

  • Extracted credentials enable attackers to authenticate as legitimate users, move laterally across the network, and gain deeper footholds within the infrastructure.

• Persistence and Long-term Access:

  • Attackers store and reuse compromised credentials to maintain persistent access to the network without triggering repeated alerts.

• Reconnaissance and Credential Harvesting:

  • Attackers targeting Active Directory environments often perform NTDS credential dumping early in the intrusion lifecycle to identify valuable targets and credentials.

How this Technique is Usually Detected

Detection of NTDS credential dumping involves monitoring specific events, behaviors, and indicators of compromise (IoCs):

• Event Log Monitoring:

  • Monitor Windows Security logs for suspicious privilege escalation (Event IDs 4672, 4624).

  • Monitor Volume Shadow Copy creation events (Event IDs 8222, 8224) in Application logs.

  • Monitor unusual execution of tools such as ntdsutil.exe, vssadmin.exe, diskshadow.exe, and wmic.exe.

• File Access and Modification Monitoring:

  • Monitor and alert on unauthorized access or copying of NTDS.dit and SYSTEM registry hive files.

  • Track suspicious file copies from %SystemRoot%\NTDS\ or %SystemRoot%\System32\Config\.

• Endpoint Detection and Response (EDR):

  • Deploy EDR tools to detect suspicious behaviors related to credential dumping, such as memory scraping or shadow copy creation.

• Network Monitoring and Data Exfiltration Detection:

  • Monitor network traffic for large data transfers or unusual outbound connections indicative of NTDS.dit exfiltration.

Indicators of Compromise (IoCs) include:

• Unusual Volume Shadow Copy creations.

• Suspicious execution of credential dumping tools (Mimikatz, Impacket, ntdsutil).

• Unexpected file access or copy operations involving NTDS.dit and SYSTEM registry hive.

• Unusual outbound network traffic patterns.

Why it is Important to Detect This Technique

Early detection of NTDS credential dumping is critical due to the severe impacts and risks associated with compromised credentials:

• Privilege Escalation:

  • Attackers who successfully dump credentials can rapidly escalate privileges to Domain Administrator or other high-level accounts, significantly increasing their control over the environment.

• Lateral Movement:

  • Compromised credentials enable attackers to authenticate as legitimate users, move laterally across the network, and compromise additional systems and data.

• Persistence and Long-term Compromise:

  • Attackers can reuse dumped credentials to maintain persistent access, making remediation difficult and increasing the duration of compromise.

• Data Exfiltration and Breach Impact:

  • Credential dumping facilitates further exploitation, data theft, and potential ransomware deployment, significantly increasing the severity and cost of security incidents.

Early detection allows security teams to:

• Immediately contain and remediate the compromise before broader damage occurs.

• Revoke compromised credentials and reset affected accounts.

• Strengthen defenses and prevent further lateral movement or privilege escalation.

• Minimize the risk of extensive data breaches and operational disruption.

Examples

Real-world examples demonstrating NTDS credential dumping include:

• APT29 (Cozy Bear):

  • Known to use credential dumping techniques, including extraction of NTDS.dit credentials, to move laterally and escalate privileges within targeted networks.

  • Tools used: Custom scripts, Mimikatz, and Impacket's secretsdump.py.

  • Impact: Persistent, stealthy access to sensitive government and corporate networks.

• NotPetya Ransomware Attack (2017):

  • Attackers leveraged credential dumping from NTDS.dit to move laterally and propagate ransomware rapidly across affected networks.

  • Tools used: Mimikatz for credential extraction.

  • Impact: Massive disruption, significant data loss, and financial damage to global organizations.

• FIN6 Financial Threat Actor:

  • Utilized NTDS credential dumping to escalate privileges and gain administrative control of payment processing environments.

  • Tools used: Mimikatz, Impacket toolkit.

  • Impact: Theft of payment card data, financial losses, and reputational damage for victim organizations.

• Operation Cloud Hopper (APT10):

  • Leveraged credential dumping from NTDS.dit to compromise managed service providers (MSPs) and their clients.

  • Tools used: Custom scripts, credential dumping tools.

  • Impact: Extensive espionage, theft of intellectual property, and sensitive business information from MSPs and their customers.

These examples illustrate the wide range of threat actors and attack scenarios leveraging NTDS credential dumping to achieve significant and damaging outcomes.