<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Ntdsutil - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/ntdsutil/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 14:30:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/ntdsutil/feed.xml" rel="self" type="application/rss+xml"/><item><title>Potential Credential Access via Windows Utilities</title><link>https://feed.craftedsignal.io/briefs/2024-01-credential-dump-tools/</link><pubDate>Wed, 03 Jan 2024 14:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-credential-dump-tools/</guid><description>This brief detects the execution of known Windows utilities such as procdump, ntdsutil, and diskshadow, often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access, potentially leading to widespread compromise.</description><content:encoded><![CDATA[<p>This threat brief focuses on the abuse of legitimate Windows utilities to dump credentials from LSASS memory or the Active Directory database (NTDS.dit). Attackers commonly use these techniques to gain access to sensitive information, such as user credentials and Kerberos tickets, which can then be used for lateral movement and privilege escalation. The utilities commonly used include procdump, ProcessDump.exe, WriteMiniDump.exe, RUNDLL32.exe, RdrLeakDiag.exe, SqlDumper.exe, TTTracer.exe, ntdsutil.exe, and diskshadow.exe. These tools are often abused because they are typically present in a standard Windows installation, making their malicious use harder to detect. This activity is often a precursor to a larger attack, such as ransomware deployment or data exfiltration. The Elastic detection rule was last updated on 2026/04/07, indicating continued relevance.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a Windows system through various means (e.g., phishing, exploitation of a vulnerability).</li>
<li>The attacker executes a command shell (e.g., cmd.exe or PowerShell) to run reconnaissance commands and identify potential targets.</li>
<li>The attacker uses procdump.exe with the <code>-ma</code> flag to create a full memory dump of the LSASS process.</li>
<li>Alternatively, the attacker utilizes RUNDLL32.exe to invoke MiniDump functionality for LSASS process dumping.</li>
<li>The attacker uses ntdsutil.exe to create a snapshot of the Active Directory database (NTDS.dit) if the compromised host is a domain controller.</li>
<li>The attacker uses diskshadow.exe to create shadow copies, which can then be used to access the NTDS.dit database.</li>
<li>The attacker copies the dumped LSASS memory or NTDS.dit file to a location where they can extract credentials offline.</li>
<li>The attacker uses credential extraction tools to parse the dumped memory or database and obtain user credentials and other sensitive information.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful credential dumping attack can have severe consequences. Attackers can use the compromised credentials to move laterally within the network, access sensitive data, and escalate their privileges. This can lead to data breaches, financial losses, and reputational damage. In environments with Active Directory, a compromise of the NTDS.dit file can result in a complete compromise of the entire domain, affecting all users and systems. Depending on the compromised accounts, attackers can encrypt critical systems with ransomware or exfiltrate sensitive data.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Sysmon process-creation logging to capture command-line arguments for all processes, allowing for detection of credential dumping tools (reference: logsource with category &quot;process_creation&quot; and product &quot;windows&quot;).</li>
<li>Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious execution of credential dumping utilities.</li>
<li>Monitor for unexpected execution of <code>procdump.exe</code> with the <code>-ma</code> flag, as this is a common indicator of LSASS memory dumping (reference: Sigma rule &quot;Detect Procdump LSASS Memory Dump&quot;).</li>
<li>Implement strict access controls on domain controllers to limit which users and systems can access the NTDS.dit file and LSASS process, reducing the attack surface (reference: overview).</li>
<li>Monitor for unusual uses of <code>ntdsutil.exe</code> or <code>diskshadow.exe</code>, especially on systems that are not domain controllers (reference: Sigma rule &quot;Detect NTDSUtil or Diskshadow Activity&quot;).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>credential-access</category><category>lsass</category><category>ntdsutil</category><category>procdump</category><category>windows</category></item></channel></rss>