Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-18
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

OS Credential Dumping: NTDS (T1003.003)

Severity

High

Description

Attackers may attempt to dump the ntds.dit file, which stores all Active Directory account information, to later extract passwords and hashes from it.

Attacker's Goals

Retrieve Active Directory data, to perform malicious activities such as lateral movement.

Investigative actions

Check the initiator process for additional suspicious activity.