T1003.003: T1003.003

Search IOCs, vulnerabilities, APT…

216.73.216.226

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 11/02/2020 19:42 · Modified 10/04/2026 14:07

Essential information

MITRE technique ID: T1003.003
Confidence: 100/100
Revoked: No
Published: 11/02/2020 19:42
Modified: 10/04/2026 14:07
Author / Source: The MITRE Corporation

Aliases

NTDS

Platforms

windows

Description

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in `%SystemRoot%\NTDS\Ntds.dit` of a domain controller.(Citation: Wikipedia Active Directory) In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015) The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes. * Volume Shadow Copy * secretsdump.py * Using the in-built Windows tool, ntdsutil.exe * Invoke-NinjaCopy

Kill chain phases

Kill chain	Phase
mitre-attack	credential-access

Marking (TLP)

External references

Wikipedia Active Directory
Metcalf 2015
mitre-attack (T1003.003)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (27)

RansomEXX uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT28 uses IRON TWILIGHTSNAKEMACKEREL

The MITRE Corporation Confidence 100

[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Ke3chang uses APT15Mirage

The MITRE Corporation Confidence 100

[Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean,…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

25–27 of 27

Black Basta - S1070 uses

Family
RansomEXX uses

Family
Megazord uses

Family
SharpGPOAbuse uses
Pillager uses

Family
Dcsync uses

Family
BlackCat - S1068 uses

Family
Zeppelin uses

Family
ELPACO-team uses

Family
Rhysida uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
The Gentlemen uses

Family
Mimikatz uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 4

1–12 of 37

StrikeShark: a new campaign involving a custom SharkLoader … related

AlienVault Confidence 100 13 CVEs 22 MITREs 6 Malwares 5 IOCs 4 Observables
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Flash Alert: EtherRat and TukTuk C2 End in … related

AlienVault Confidence 100 1 CVE 23 MITREs 6 Malwares 32 IOCs 32 Observables
AMOS Stealer delivered via Cursor AI agent session related

AlienVault Confidence 100 20 MITREs 1 Malware 13 IOCs 13 Observables
Snow Flurries: How UNC6692 Employed Social Engineering to … related

20 MITREs 4 Malwares 7 Observables 1 APT
Stolen Service Accounts Lead to Rogue Workstations and … related

3 CVEs 12 MITREs 2 Observables
A Peek Into Muddled Libra's Operational Playbook related

25 MITREs 4 Observables 1 APT
Active Exploitation of Gladinet CentreStack/Triofox Insecure Cryptography Vulnerability related

1 CVE 7 MITREs 1 Observable
Gootloader Returns: What Goodies Did They Bring? related

14 MITREs 8 Malwares 136 Observables 1 APT
Howling Scorpius (Akira Ransomware) related

4 CVEs 18 MITREs 2 Malwares 44 Observables 1 APT
QSC: new modular framework in CloudComputating campaigns related

22 MITREs 3 Malwares 1 APT

← Previous

Page / 2

1–12 of 14

Vulnerabilities (CVE) (30)

CVE-2025-11371 targets

6.2 Medium

In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended …

Published: 09/10/2025
Modified: 10/10/2025

Received

CVE-2023-20269 KEV targets

5.0 Medium

Cisco Adaptive Security Appliance and Firepower Threat Defense contain an unauthorized access vulnerability that could allow an unauthenticated, remote attacker to conduct …

Attack vector: Network
Published: 13/09/2023
Modified: 21/12/2025

CVE-2024-23897 KEV targets

9.8 Critical

Jenkins Command Line Interface (CLI) contains a path traversal vulnerability that allows attackers limited read access to certain files, which can lead …

Attack vector: Network
Published: 19/08/2024
Modified: 21/12/2025

CVE-2024-21762 KEV targets

9.8 Critical

Fortinet FortiOS contains an out-of-bound write vulnerability that allows a remote unauthenticated attacker to execute code or commands via specially crafted HTTP …

Attack vector: Network
Published: 09/02/2024
Modified: 21/12/2025

CVE-2020-3259 KEV targets

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on …

Published: 15/02/2024
Modified: 21/12/2025

CVE-2017-17562 KEV targets

8.1 High

Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.

Attack vector: NETWORK
Complexity: HIGH
Published: 12/12/2017
Modified: 22/04/2026

CVE-2022-26134 KEV targets

Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code …

Published: 02/06/2022
Modified: 27/05/2026

CVE-2022-40684 KEV targets

9.8 Critical

Fortinet FortiOS, FortiProxy, and FortiSwitchManager contain an authentication bypass vulnerability that could allow an unauthenticated attacker to perform operations on the administrative …

Attack vector: Network
Published: 11/10/2022
Modified: 14/01/2026

CVE-2021-26855 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2023-46747 KEV targets

9.8 Critical

F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow …

Attack vector: Network
Published: 31/10/2023
Modified: 21/12/2025

CVE-2024-0012 KEV targets

9.8 Critical

An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to …

Attack vector: Network
Published: 18/11/2024
Modified: 21/12/2025

Undergoing Analysis

CVE-2024-9474 KEV targets

7.2 High

A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to …

Attack vector: Network
Published: 18/11/2024
Modified: 21/12/2025

Undergoing Analysis

← Previous

Page / 3

13–24 of 30

T1003 subtechnique-of

OS Credential Dumping MITRE

Campaign (4)

Cutting Edge uses
2025 Poland Wiper Attacks uses
Operation MidnightEclipse uses
APT28 Nearest Neighbor Campaign uses

Tool (4)

esentutl uses

The MITRE Corporation Confidence 100

[esentutl](https://attack.mitre.org/software/S0404) is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.(Citation: Microsoft Esentutl)
Impacket uses

The MITRE Corporation Confidence 100

[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation,…
CrackMapExec uses

The MITRE Corporation Confidence 100

[CrackMapExec](https://attack.mitre.org/software/S0488), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://attack.mitre.org/software/S0488) collects Active Directory information to conduct lateral movement through targeted…
Koadic uses

The MITRE Corporation Confidence 100

[Koadic](https://attack.mitre.org/software/S0250) is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. [Koadic](https://attack.mitre.org/software/S0250) has several options for staging payloads and creating implants, and performs…

Course Of Action (4)

Privileged Account Management mitigates
Encrypt Sensitive Information mitigates
Password Policies mitigates
User Training mitigates

Contact About Legal notice Privacy policy Terms of use