Skip to content
Threat Feed
high advisory

NTDS or SAM Database File Copied

Detects copy operations of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files using command-line tools, potentially leading to credential access.

This detection identifies potential credential access attempts by monitoring copy operations of sensitive Windows files: the Active Directory Domain Database (ntds.dit) and the Security Account Manager (SAM). These files contain hashed domain and local credentials. The rule focuses on detecting command-line tools such as Cmd.Exe, PowerShell.EXE, XCOPY.EXE, and esentutl.exe when used to copy these sensitive files. This activity often indicates an attacker attempting to dump credentials for lateral movement or privilege escalation within a compromised environment. The rule is based on detection logic from Elastic Security. The targeted files and tools are consistent across various attack scenarios, making this a valuable detection for defenders.

Attack Chain

  1. Attacker gains initial access to a Windows host (e.g., via phishing or exploitation).
  2. The attacker executes a command shell such as cmd.exe or powershell.exe.
  3. The attacker leverages volume shadow copy service to create a shadow copy of the system drive.
  4. The attacker uses esentutl.exe with the /y and /vss parameters to copy the ntds.dit file from the shadow copy to a local directory.
  5. Alternatively, the attacker uses xcopy.exe, copy, move, cp or mv to copy the ntds.dit or SAM files.
  6. The attacker may compress the copied database file for easier transfer.
  7. The attacker exfiltrates the copied ntds.dit or SAM file from the target host.
  8. The attacker uses tools like secretsdump.py to extract credentials from the offline database.

Impact

Successful exfiltration of the ntds.dit or SAM files allows attackers to obtain domain or local credentials, leading to lateral movement, privilege escalation, and potentially domain compromise. This could result in data breaches, ransomware deployment, or other significant operational disruptions. The severity is high due to the sensitive nature of the data and the potential for widespread impact. The DFIR Report has documented this technique being used in Pysa/Mespinoza ransomware attacks.

Recommendation

  • Deploy the Sigma rule "NTDS or SAM Database File Copied" to your SIEM to detect potential credential access attempts (see rules section).
  • Enable Windows Security Event Logging and Sysmon to capture the necessary process creation and command-line data (Data Source: Windows Security Event Logs, Sysmon).
  • Investigate and remediate any alerts generated by this rule immediately, following the provided investigation guide (Resources: Investigation Guide).
  • Monitor file access events to detect unauthorized access attempts to ntds.dit and SAM files (Data Source: Elastic Defend).
  • Implement strict access control policies to limit access to sensitive files like ntds.dit and SAM (Mitigation).

Detection coverage 2

NTDS or SAM Database File Copied - CommandLine

high

Detects copy operations of NTDS or SAM database files via command line.

sigma tactics: credential_access techniques: T1003.002, T1003.003 sources: process_creation, windows

NTDS or SAM Database File Copied - esentutl.exe

high

Detects NTDS or SAM database file copy using esentutl.exe.

sigma tactics: credential_access techniques: T1003.002, T1003.003 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →