OS Credential Dumping: NTDS

Description

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable Identity ExposureActive DirectoryStandard AD UserLDAPList of Domain Computers and Users
Tenable Vulnerability ManagementAD Start or Identity ScanActive DirectoryAuthenticated AD UserLDAPList of Domain Users Plugin ID: 167250
Tenable Vulnerability ManagementAD Start or Identity ScanActive DirectoryAuthenticated AD UserLDAPList of Domain GroupsPlugin ID: 167251

References

LDAP Active Directory - Person Enumeration

LDAP Active Directory - Group Enumeration

Attack Path Technique Details

Framework: MITRE ATT&CK

Family: Credential Access

Sub-Technique: NTDS

Platform: Windows

Tenable Release Date: 2022 Q2