NTDS exfiltration refers to the technique that attackers use to retrieve the NTDS.dit database. This file stores Active Directory secrets such as password hashes and Kerberos keys. Once accessed, the attacker parses a copy of this file offline, providing an alternative to DCSync attacks for retrieval of the Active Directory's sensitive content.

See Also

How Attackers Dump Active Directory Database Credentials

Extracting Password Hashes from the Ntds.dit File

MITRE ATT&CK description

Indicator Details

Name: NTDS Extraction

Codename: I-NtdsExtraction

Severity: Critical

MITRE ATT&CK Information:
ID: T1003.003
Sub-technique of: T1003
Tactic: TA0006