This note documents detection patterns related to NTDS Dumping within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Look for execution of tools capable of dumping NTDS such as ntdsutil.exe, secretsdump.py, mimikatz, or vssadmin. Review CommandLine and ParentProcessName. |
| Security | 4673 | Sensitive privilege used | High | Privilege usage such as SeBackupPrivilege often required for NTDS extraction. |
| Security | 4656 | Handle requested to object | High | Access to NTDS.dit file or volume shadow copy devices. |
| Security | 4663 | Object access | High | File access events involving NTDS.dit or shadow copy volumes. |
| Sysmon | 1 | Process creation | Critical | Execution of NTDS dumping utilities or commands interacting with volume shadow copies. |
| Sysmon | 11 | File creation | High | Creation of NTDS.dit copies or related dump files. |
| Sysmon | 3 | Network connection | Medium | Remote execution tools communicating with domain controllers. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Volume shadow copy creation | Use of vssadmin or wmic shadowcopy commands | Critical | Common method to bypass NTDS file locks. |
| ntdsutil execution | Running ntdsutil to extract database snapshots | High | Often indicates credential dumping attempt. |
| Temporary NTDS copies | Files named ntds.dit appearing outside standard AD database directory | High | Attackers often copy database for offline extraction. |
| Suspicious admin activity on DC | Commands executed from compromised administrative accounts | High | Domain controller compromise scenario. |
| Post-dump credential usage | Authentication using domain admin accounts shortly after NTDS extraction | Critical | Indicates attacker cracked or reused domain hashes. |
Common Tools
| Tool | Usage |
|---|---|
| ntdsutil | Creates snapshots and extracts NTDS.dit database. |
| Impacket secretsdump.py | Remotely extracts NTDS credentials from domain controllers. |
| Mimikatz | Can extract credentials from NTDS database. |
| vssadmin | Creates volume shadow copies allowing access to locked files. |
| wmic shadowcopy | Alternative method for creating shadow copies. |
| Cobalt Strike | Often used to run credential dumping modules. |
Relevant Artifacts
- Windows Security logs (4688, 4673, 4656, 4663)
- Sysmon logs (1, 3, 11)
- NTDS.dit database copies
- Volume Shadow Copy artifacts
- Prefetch entries for dumping utilities
- MFT artifacts showing database copies
- PowerShell logs if dumping executed via scripts
- Endpoint telemetry identifying suspicious activity on domain controllers
MITRE ATT&CK References
- T1003 OS Credential Dumping
- T1003.003 NTDS
- T1078 Valid Accounts
- T1552 Unsecured Credentials
Decision Tree
- Is the suspicious event present?
- Look for commands involving ntdsutil, vssadmin, or shadowcopy creation.
- What host generated the event?
- Determine if activity occurred on a domain controller or remotely.
- Is the account expected to perform this action?
- Only domain administrators performing backups normally access NTDS database.
- Pivot:
- Source host → review executed commands and scripts.
- Account → verify privileges and group membership.
- Network → check for lateral movement following credential extraction.
- Confirm exploitation
- Investigate whether extracted domain hashes were used for authentication attempts.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4688
| where CommandLine contains "ntdsutil" or CommandLine contains "vssadmin"
| project TimeGenerated, Computer, NewProcessName, CommandLine, ParentProcessName
Sysmon
| where EventID == 11
| where TargetFilename contains "ntds.dit"
| project TimeGenerated, Computer, TargetFilename, Image
EQL
process where process.command_line like "*ntdsutil*" or process.command_line like "*vssadmin*"
Sigma
title: NTDS Database Dump Attempt
id: ntds-dump-detection
status: experimental
description: Detects potential NTDS database dumping via ntdsutil or shadow copy utilities
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- "ntdsutil"
- "vssadmin"
- "shadowcopy"
condition: selection
fields:
- CommandLine
- ParentProcessName
falsepositives:
- Legitimate domain controller backup operations
level: critical
tags:
- attack.credential_access
- attack.t1003.003
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Privilege restriction | Limit domain admin privileges | High | Reduces ability to access NTDS database. |
| Monitoring | Alert on shadow copy creation on domain controllers | High | Helps detect NTDS dumping preparation. |
| Endpoint protection | Deploy EDR on domain controllers | High | Detects suspicious credential extraction activity. |
| Backup controls | Restrict backup operators and monitor backup operations | Medium | Prevents abuse of backup privileges. |
| Logging | Enable auditing of object access and process creation | High | Improves detection capability. |