Esc
NTDS - T1003.003

(ATT&CK® Technique)
Definition

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1003003["NTDS"] --> |accesses| EncryptedCredential["Encrypted Credential"]; class T1003003 OffensiveTechniqueNode;
        class EncryptedCredential ArtifactNode; click EncryptedCredential href "/dao/artifact/d3f:EncryptedCredential";
        click T1003003 href "/offensive-technique/attack/T1003.003/"; click EncryptedCredential href "/dao/artifact/d3f:EncryptedCredential";             AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
          | deletes | EncryptedCredential["Encrypted Credential"];

          AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
            | may-evict | T1003003["NTDS"] ;
          class AuthenticationCacheInvalidation DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; CredentialRevocation["Credential Revocation"] -->
          | deletes | EncryptedCredential["Encrypted Credential"];

          CredentialRevocation["Credential Revocation"] -.->
            | may-evict | T1003003["NTDS"] ;
          class CredentialRevocation DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click CredentialRevocation href "/technique/d3f:CredentialRevocation";   CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
          | analyzes | EncryptedCredential["Encrypted Credential"];

          CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
            | may-detect | T1003003["NTDS"] ;
          class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis";                                    CredentialTransmissionScoping["Credential Transmission Scoping"] -->
          | isolates | EncryptedCredential["Encrypted Credential"];

          CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
            | may-isolate | T1003003["NTDS"] ;
          class CredentialTransmissionScoping DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; ReissueCredential["Reissue Credential"] -->
          | restores | EncryptedCredential["Encrypted Credential"];

          ReissueCredential["Reissue Credential"] -.->
            | may-restore | T1003003["NTDS"] ;
          class ReissueCredential DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click ReissueCredential href "/technique/d3f:ReissueCredential";                           CredentialHardening["Credential Hardening"] -->
          | hardens | EncryptedCredential["Encrypted Credential"];

          CredentialHardening["Credential Hardening"] -.->
            | may-harden | T1003003["NTDS"] ;
          class CredentialHardening DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click CredentialHardening href "/technique/d3f:CredentialHardening";    DecoyUserCredential["Decoy User Credential"] -->
          | spoofs | EncryptedCredential["Encrypted Credential"];

          DecoyUserCredential["Decoy User Credential"] -.->
            | may-deceive | T1003003["NTDS"] ;
          class DecoyUserCredential DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click DecoyUserCredential href "/technique/d3f:DecoyUserCredential";                CredentialRotation["Credential Rotation"] -->
          | regenerates | EncryptedCredential["Encrypted Credential"];

          CredentialRotation["Credential Rotation"] -.->
            | may-harden | T1003003["NTDS"] ;
          class CredentialRotation DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click CredentialRotation href "/technique/d3f:CredentialRotation"; Multi-factorAuthentication["Multi-factor Authentication"] -->
          | uses | EncryptedCredential["Encrypted Credential"];

          Multi-factorAuthentication["Multi-factor Authentication"] -.->
            | may-harden | T1003003["NTDS"] ;
          class Multi-factorAuthentication DefensiveTechniqueNode;
          class EncryptedCredential ArtifactNode;
          click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication";
json