T1003.003 - NTDS
Sub-technique
Tattiche:
Credential Access
Credential Access
Piattaforme:
Windows
Windows
Rilevamento:
Not specified
Not specified
Description:
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller.(Citation: Wikipedia Active Directory)
In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)
The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
* Volume Shadow Copy
* secretsdump.py
* Using the in-built Windows tool, ntdsutil.exe
* Invoke-NinjaCopy
In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)
The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
* Volume Shadow Copy
* secretsdump.py
* Using the in-built Windows tool, ntdsutil.exe
* Invoke-NinjaCopy
Usato da Attori (17)
APT28
Nation-state
Nation-state
FIN6
Unknown
Unknown
MUSTANG PANDA
Nation-state
Nation-state
WIZARD SPIDER
Nation-state
Nation-state
APT41
Nation-state
Nation-state
Fox Kitten
Unknown
Unknown
HAFNIUM
Unknown
Unknown
FIN13
Unknown
Unknown
Volt Typhoon
Unknown
Unknown
Scattered Spider
Unknown
Unknown
Medusa Group
Unknown
Unknown
Dragonfly
Unknown
Unknown
Sandworm Team
Unknown
Unknown
Ke3chang
Unknown
Unknown
LAPSUS$
Unknown
Unknown
Chimera
Unknown
Unknown
menuPass
Unknown
Unknown
Malware (4)
Metadata
| MITRE ID: | T1003.003 |
| STIX ID: | attack-pattern--edf91964-b26e-... |
| Piattaforme: | Windows |
| Created: | 13/01/2026 17:48 |
| Updated: | 06/03/2026 16:00 |