Esc
NTDS - T1003.003
(ATT&CK® Technique)
Definition
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit
of a domain controller.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1003003["NTDS"] --> |accesses| EncryptedCredential["Encrypted Credential"]; class T1003003 OffensiveTechniqueNode; class EncryptedCredential ArtifactNode; click EncryptedCredential href "/dao/artifact/d3f:EncryptedCredential"; click T1003003 href "/offensive-technique/attack/T1003.003/"; click EncryptedCredential href "/dao/artifact/d3f:EncryptedCredential"; CredentialRevoking["Credential Revoking"] --> | deletes | EncryptedCredential["Encrypted Credential"]; CredentialRevoking["Credential Revoking"] -.-> | May Evict | T1003003["NTDS"] ; class CredentialRevoking DefensiveTechniqueNode; class EncryptedCredential ArtifactNode; click CredentialRevoking href "/technique/d3f:CredentialRevoking"; CredentialTransmissionScoping["Credential Transmission Scoping"] --> | restricts | EncryptedCredential["Encrypted Credential"]; CredentialTransmissionScoping["Credential Transmission Scoping"] -.-> | May Harden | T1003003["NTDS"] ; class CredentialTransmissionScoping DefensiveTechniqueNode; class EncryptedCredential ArtifactNode; click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; CredentialRotation["Credential Rotation"] --> | regenerates | EncryptedCredential["Encrypted Credential"]; CredentialRotation["Credential Rotation"] -.-> | May Harden | T1003003["NTDS"] ; class CredentialRotation DefensiveTechniqueNode; class EncryptedCredential ArtifactNode; click CredentialRotation href "/technique/d3f:CredentialRotation"; ReissueCredential["Reissue Credential"] --> | restores | EncryptedCredential["Encrypted Credential"]; ReissueCredential["Reissue Credential"] -.-> | May Restore | T1003003["NTDS"] ; class ReissueCredential DefensiveTechniqueNode; class EncryptedCredential ArtifactNode; click ReissueCredential href "/technique/d3f:ReissueCredential"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] --> | deletes | EncryptedCredential["Encrypted Credential"]; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.-> | May Evict | T1003003["NTDS"] ; class AuthenticationCacheInvalidation DefensiveTechniqueNode; class EncryptedCredential ArtifactNode; click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; DecoyUserCredential["Decoy User Credential"] --> | spoofs | EncryptedCredential["Encrypted Credential"]; DecoyUserCredential["Decoy User Credential"] -.-> | May Deceive | T1003003["NTDS"] ; class DecoyUserCredential DefensiveTechniqueNode; class EncryptedCredential ArtifactNode; click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] --> | analyzes | EncryptedCredential["Encrypted Credential"]; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.-> | May Detect | T1003003["NTDS"] ; class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode; class EncryptedCredential ArtifactNode; click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis";