Skip to content

T1003.003 OSCredentialDumping NTDSusingTools

T1003.003 - OS Credential Dumping: NTDS using Tools

DESCRIPTION

A technique by which the adversary may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password.

Example:

cmd /c copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\NTDS\ntds.dit C:\Windows\Temp > C:\Windows\Temp\.tmp

Related\ Volt Typhoon activity

Reference:

https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/%5C
https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection
https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on%5C
https://docs.microsoft.com/sysinternals/downloads/procdump

ATT&CK TACTICS

T1003.003 - OS Credential Dumping: NTDS

Data Source(s): Process, Command

SENTINEL RULE QUERY

1
2
let c1 = dynamic(["Invoke-NinjaCopy","Secretsdump.py","DSInternals"]);
find where InitiatingProcessCommandLine has_any (c1) or ProcessCommandLine has_any (c1) or CommandLine has_any (c1)

Triage

  1. Inspect which account and at what time the activity was performed
  2. Question the user if the activity was expected and approved

VERSION

Version 1.0 (date: 10/07/2023)