H3-2021-0046

Credential Dumping - Active Directory Services Database (NTDS)

Category	SECURITY_CONTROLS
Base Score	7.2

Description

The NTDS.dit file on a Windows domain controller contains the credentials of all domain users. There are a variety of methods to retrieve the contents of this file, such as using the ntdsutil tool, Volume Shadow Copy, and Impacket secretsdump.py. The DCSync method can also be used to achieve the same outcome by replicating the directory services database to a simulated remote domain controller. In most cases, access to a privileged account such as Domain Administrator is needed to perform these actions.

Impact

An attacker who is able to dump all domain credentials can access any resource in the Active Directory environment, masquerade as any user or service, and establish long-term persistence.

References

• MITRE ATT&CK Technique: OS Credential Dumping: NTDS
• MITRE ATT&CK Technique: OS Credential Dumping: DCSync