Detections
Analytics
OS Credential Dumping: NTDS
Description
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable.ad | Active Directory | Standard AD User | LDAP | List of Domain Computers and Users |
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Credential Access
Technique: OS Credential Dumping
Sub-Technique: NTDS
Platform: Windows
Products Required: Tenable.ad or Tenable.io
Tenable Release Date: 2022 Q2