Find sigma rule 
Attack: OS Credential Dumping: NTDS
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.(Citation: Wikipedia Active Directory)
In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)
The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
- Volume Shadow Copy
- secretsdump.py
- Using the in-built Windows tool, ntdsutil.exe
- Invoke-NinjaCopy
MITRE
Tactic
- credential-access
technique
- T1003.003
Test : Dump Active Directory Database with NTDSUtil
OS
- windows
Description:
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability uses the “IFM” or “Install From Media” backup functionality that allows Active Directory restoration or installation of subsequent domain controllers without the need of network-based replication.
Upon successful completion, you will find a copy of the ntds.dit file in the C:\Windows\Temp directory.
Executor
command_prompt
Sigma Rule
- proc_creation_win_ntdsutil_usage.yml (id: 2afafd61-6aae-4df4-baed-139fa1f4c345)