T1003.003Credential Access

NTDS

Extract NTDS.dit from a DC to recover every domain account hash, including krbtgt.

§ Where this technique fits

T1003.003 is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 3.3 on average.

Authoritative reference: attack.mitre.org/techniques/T1003/003/.

§ Dossiers chaining this technique

Post-Domain Admin persistence: Golden Ticket + DCShadow + AdminSDHolder
Once Domain Admin is achieved, plant layered persistence so a krbtgt rotation, password resets, and ACL clean-up do not all evict the attacker.
step 2 / 7
RODC compromise → cracked NT hashes of revealed accounts
A Read-Only Domain Controller stores password material only for principals on its msDS-RevealedList. Compromising the RODC + cracking those hashes gives you the corresponding users.
step 3 / 6
DnsAdmins membership → SYSTEM on the DC
DnsAdmins members can load a DLL via the DNS service ServerLevelPluginDll registry value — the service runs as SYSTEM on the DC.
step 5 / 5

§ What commonly comes next

01
Brute Force
T1110 · Credential Access
seen 1×
02
Golden Ticket
T1558.001 · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Post-Domain Admin persistence: Golden Ticket + DCShadow + AdminSDHolder

RODC compromise → cracked NT hashes of revealed accounts

DnsAdmins membership → SYSTEM on the DC

§ What commonly comes next