CAR-2019-08-002: Active Directory Dumping via NTDSUtil
The NTDSUtil tool may be used to dump a Microsoft Active Directory database to disk for processing with a credential access tool such as Mimikatz. This is performed by launching ntdsutil.exe as a privileged user with command line arguments indicating that media should be created for offline Active Directory installation and specifying a folder path. This process will create a copy of the Active Directory database, ntds.dit, to the specified folder path.
This requires filesystem data to determine whether files have been created.
ATT&CK Detections
| Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
|---|---|---|---|
| OS Credential Dumping | NTDS | Credential Access | Low |
D3FEND Techniques
| ID | Name |
|---|---|
| D3-PSA | Process Spawn Analysis |
Data Model References
| Object | Action | Field |
|---|---|---|
| file | create | file_name |
| file | create | image_path |
Implementations
NTDSUtil - File Create (Pseudocode)
This base pseudocode looks for file create events where a file with a name of ntds.dit is created by the ntdsutil process.
files = search File:Create
ntds_dump = filter files where (
file_name = "ntds.dit" and
image_path = "*ntdsutil.exe")
output ntds_dump
NTDSUtil - File Create (Splunk, Sysmon native)
A Splunk/Sysmon version of the above pseudocode.
index=__your_sysmon_index__ EventCode=11 TargetFilename="*ntds.dit" Image="*ntdsutil.exe"
NTDSUtil - File Create (Eql, EQL native)
An EQL version of the above pseudocode.
file where file_name == "ntds.dit" and process_name == "ntdsutil.exe"
Logpoint, LogPoint native
LogPoint version of the above pseudocode.
norm_id=WindowsSysmon event_id=11 file="*ntds.dit" source_image="*ntdsutil.exe"
Unit Tests
Test Case 1
- Open a Windows Command Prompt or PowerShell instance as Administrator
- Execute
ntdsutil.exe “ac i ntds” “ifm” “create full c:\temp” q q