Credential Database Copy via Ninja-Copy Technique
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
|---|---|---|---|---|
Credential Database Copy via Ninja-Copy Technique | Standard | Windows | Credential Access: OS Credential Dumping - NTDS (T1003.003) | Critical |
About the rule
Rule Type
Standard
Rule Description
Identifies use of Ninja-Copy techniques to duplicate protected credential databases.
Why this rule?
Ninja-Copy is an advanced credential theft technique that bypasses Windows file system protections and Volume Shadow Copy restrictions to directly read locked files like NTDS.dit (Active Directory database), SAM (local account database), and SYSTEM registry hives that contain password hashes and encryption keys, enabling attackers to steal credentials even when standard file access methods fail due to file locks or permissions.
Severity
Critical
Rule journey
Attack chain scenario
Credential Access → Ninja-Copy Execution → Protected File Access → Credential Database Theft → Password Hash Extraction.
Impact
Critical credential theft enabling attackers to obtain password hashes from protected databases like SAM, NTDS.dit, bypassing file system protections.
Rule Requirement
Prerequisites
Enable PowerShell Script Block Logging (Event ID 4104).
Criteria
Action1: actionname = "PowerShell Script Block Logged" AND (SCRIPTEXECUTED contains "Invoke-Ninjacopy" OR SCRIPTEXECUTED contains "StealthOpenFile" OR SCRIPTEXECUTED contains "StealthReadFile" OR SCRIPTEXECUTED contains "StealthCloseFile") select Action1.HOSTNAME,Action1.MESSAGE,Action1.SCRIPTEXECUTED,Action1.DOMAIN,Action1.PATH,Action1.USERNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Credential Access: OS Credential Dumping - NTDS (T1003.003)
Future actions
Known False Positives
Backup, forensic acquisition, or approved administrative scripts accessing system files for recovery or auditing purposes.
Next Steps
- Identification: Identify the PowerShell script and user executing Ninja-Copy technique.
- Analysis: Determine which credential databases were targeted and copied.
- Response: Investigate credential theft, rotate all domain and local passwords, review access controls.
Mitigation
ID | Mitigation | Description |
|---|---|---|
Ensure Domain Controller backups are properly secured.[2] | ||
Ensure that local administrator accounts have complex, unique passwords across all systems on the network. | ||
Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. | ||
Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts. |
