T1003.003 — NTDS

Technique

T1003.003

Tactics

Credential Access

MISP citations

0

KEV CVEs mapped

3

Community rules

24

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1003/003

MITRE description

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller.(Citation: Wikipedia Active Directory) In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015) The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes. * Volume Shadow Copy * secretsdump.py * Using the in-built Windows tool, ntdsutil.exe * Invoke-NinjaCopy

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2024-24919
• CVE-2021-44077
• CVE-2021-40539

Detection coverage

SigmaHQ community rules

• Potential Russian APT Credential Theft Activity (emerging-threats)
• Possible Impacket SecretDump Remote Activity - Zeek (core)
• Transferring Files with Credential Data via Network Shares - Zeek (core)
• Ntdsutil Abuse (core)
• Possible Impacket SecretDump Remote Activity (core)
• Transferring Files with Credential Data via Network Shares (core)
• Cred Dump Tools Dropped Files (core)
• NTDS.DIT Created (core)
• NTDS.DIT Creation By Uncommon Parent Process (core)
• NTDS.DIT Creation By Uncommon Process (core)
• NTDS Exfiltration Filename Patterns (core)
• Suspicious Get-ADDBAccount Usage (core)
• Create Volume Shadow Copy with Powershell (core)
• VolumeShadowCopy Symlink Creation Via Mklink (core)
• Esentutl Gather Credentials (core)
• Copying Sensitive Files with Credential Data (core)
• Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe) (core)
• Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) (core)
• Sensitive File Dump Via Print.EXE (core)
• PUA - DIT Snapshot Viewer (core)
• Suspicious Process Patterns NTDS.DIT Exfil (core)
• Shadow Copies Creation Using Operating Systems Utilities (core)
• Sensitive File Dump Via Wbadmin.EXE (core)
• Sensitive File Recovery From Backup Via Wbadmin.EXE (core)

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.