T1003.003: T1003.003

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 11/02/2020 19:42 · Modified 10/04/2026 14:07

Essential information

MITRE technique ID: T1003.003
Confidence: 100/100
Revoked: No
Published: 11/02/2020 19:42
Modified: 10/04/2026 14:07
Author / Source: The MITRE Corporation

Aliases

NTDS

Platforms

windows

Description

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in `%SystemRoot%\NTDS\Ntds.dit` of a domain controller.(Citation: Wikipedia Active Directory) In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015) The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes. * Volume Shadow Copy * secretsdump.py * Using the in-built Windows tool, ntdsutil.exe * Invoke-NinjaCopy

Kill chain phases

Kill chain	Phase
mitre-attack	credential-access

Marking (TLP)

External references

Wikipedia Active Directory
Metcalf 2015
mitre-attack (T1003.003)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (27)

Medusa Group uses

The MITRE Corporation Confidence 100

[Medusa Group](https://attack.mitre.org/groups/G1051) has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT33 uses HOLMIUMElfin

The MITRE Corporation Confidence 100

[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
LAPSUS$ uses DEV-0537Strawberry Tempest

The MITRE Corporation Confidence 100

[LAPSUS$](https://attack.mitre.org/groups/G1004) is cyber criminal threat group that has been active since at least mid-2021. [LAPSUS$](https://attack.mitre.org/groups/G1004) specializes in large-scale social engineering and extortion operations, including destructive attacks without the…

First seen 01/01/1970 · Last seen 16/11/5138 ·
HAFNIUM uses Operation Exchange MarauderSilk Typhoon

The MITRE Corporation Confidence 100

[HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://attack.mitre.org/groups/G0125) primarily targets entities in the US…

First seen 01/01/1970 · Last seen 16/11/5138 ·
menuPass uses CicadaPOTASSIUM

The MITRE Corporation Confidence 100

[menuPass](https://attack.mitre.org/groups/G0045) is a threat group that has been active since at least 2006. Individual members of [menuPass](https://attack.mitre.org/groups/G0045) are known to have acted in association with the Chinese Ministry…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Black Basta uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MirrorFace uses

AlienVault Confidence 100

[MirrorFace](https://attack.mitre.org/groups/G1054) is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the [menuPass](https://attack.mitre.org/groups/G0045) umbrella based on targeting, tools, and infrastructure overlaps. [MirrorFace](https://attack.mitre.org/groups/G1054) has…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT41 uses Wicked PandaBrass Typhoon

The MITRE Corporation Confidence 100

[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sandworm Team uses ELECTRUMTelebots

The MITRE Corporation Confidence 100

[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC6692 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Wizard Spider uses TEMP.MixMasterGrim Spider

The MITRE Corporation Confidence 100

[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal…

First seen 01/01/1970 · Last seen 16/11/5138 ·
ELPACO-team uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

1–12 of 27

Black Basta - S1070 uses

Family
RansomEXX uses

Family
Megazord uses

Family
SharpGPOAbuse uses
Pillager uses

Family
Dcsync uses

Family
BlackCat - S1068 uses

Family
Zeppelin uses

Family
ELPACO-team uses

Family
Rhysida uses

Family
The Gentlemen uses

Family
Mimikatz uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 4

1–12 of 37

Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Flash Alert: EtherRat and TukTuk C2 End in … related

AlienVault Confidence 100 1 CVE 23 MITREs 6 Malwares 32 IOCs 32 Observables
AMOS Stealer delivered via Cursor AI agent session related

AlienVault Confidence 100 20 MITREs 1 Malware 13 IOCs 13 Observables
Snow Flurries: How UNC6692 Employed Social Engineering to … related

20 MITREs 4 Malwares 7 Observables 1 APT
Stolen Service Accounts Lead to Rogue Workstations and … related

3 CVEs 12 MITREs 2 Observables
A Peek Into Muddled Libra's Operational Playbook related

25 MITREs 4 Observables 1 APT
Active Exploitation of Gladinet CentreStack/Triofox Insecure Cryptography Vulnerability related

1 CVE 7 MITREs 1 Observable
Gootloader Returns: What Goodies Did They Bring? related

14 MITREs 8 Malwares 136 Observables 1 APT
Howling Scorpius (Akira Ransomware) related

4 CVEs 18 MITREs 2 Malwares 44 Observables 1 APT
QSC: new modular framework in CloudComputating campaigns related

22 MITREs 3 Malwares 1 APT
Peach Sandstorm deploys new custom Tickler malware in … related

11 MITREs 1 Malware 9 Observables 1 APT

← Previous

Page / 2

1–12 of 13

Vulnerabilities (CVE) (30)

CVE-2023-32315 KEV targets

8.6 High

Ignite Realtime Openfire contains a path traversal vulnerability that allows an unauthenticated attacker to access restricted pages in the Openfire Admin Console …

Attack vector: Network
Published: 24/08/2023
Modified: 21/12/2025

CVE-2021-34527 KEV targets

Microsoft Windows Print Spooler contains an unspecified vulnerability due to the Windows Print Spooler service improperly performing privileged file operations. Successful exploitation …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2020-1472 KEV targets

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

CVE-2017-9805 KEV targets

8.1 High

Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to …

Attack vector: NETWORK
Complexity: HIGH
Published: 15/09/2017
Modified: 22/04/2026

CWE-502

CVE-2025-59718 targets

9.8 Critical

A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS …

Published: 09/12/2025
Modified: 17/12/2025

Analyzed

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2023-20198 KEV targets

10.0 Critical

Cisco IOS XE Web UI contains a privilege escalation vulnerability in the web user interface that could allow a remote, unauthenticated attacker …

Attack vector: Network
Published: 16/10/2023
Modified: 21/12/2025

CVE-2026-24858 targets

9.8 Critical

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, …

Published: 27/01/2026
Modified: 28/01/2026

Analyzed

CVE-2023-22527 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contain an unauthenticated OGNL template injection vulnerability that can lead to remote code execution.

Attack vector: Network
Published: 24/01/2024
Modified: 21/12/2025

CVE-2021-27076

targets

CVE-2021-44228 KEV targets

10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector: Network
Published: 10/12/2021
Modified: 27/05/2026

CVE-2022-27925

targets

← Previous

Page / 3

1–12 of 30

T1003 subtechnique-of

OS Credential Dumping MITRE

Campaign (4)

Cutting Edge uses
2025 Poland Wiper Attacks uses
Operation MidnightEclipse uses
APT28 Nearest Neighbor Campaign uses

Tool (4)

esentutl uses

The MITRE Corporation Confidence 100

[esentutl](https://attack.mitre.org/software/S0404) is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.(Citation: Microsoft Esentutl)
Impacket uses

The MITRE Corporation Confidence 100

[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation,…
CrackMapExec uses

The MITRE Corporation Confidence 100

[CrackMapExec](https://attack.mitre.org/software/S0488), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://attack.mitre.org/software/S0488) collects Active Directory information to conduct lateral movement through targeted…
Koadic uses

The MITRE Corporation Confidence 100

[Koadic](https://attack.mitre.org/software/S0250) is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. [Koadic](https://attack.mitre.org/software/S0250) has several options for staging payloads and creating implants, and performs…

Course Of Action (4)

Privileged Account Management mitigates
Encrypt Sensitive Information mitigates
Password Policies mitigates
User Training mitigates

Contact About Legal notice Privacy policy Terms of use