AN1611: Analytic 1611

Detects credential dumping attempts targeting the NTDS.dit database by monitoring shadow copy creation, suspicious file access to %SystemRoot%\NTDS\ntds.dit, and the use of tooling like ntdsutil.exe or volume management APIs.

EnterpriseAN1611AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

AN1611 is a Windows detection analytic focused on attempts to access or copy the Active Directory NTDS.dit database, a high-value credential store. For security leaders, this matters because activity around NTDS.dit can indicate risk to domain-wide identity trust, privilege escalation, and broader business continuity if domain credentials are compromised.

Executive priority

Treat this as an identity-risk and incident-readiness analytic rather than a narrow endpoint rule. Leaders should ask whether domain controllers and other relevant Windows systems produce the telemetry needed to see shadow copy creation, suspicious access to %SystemRoot%\NTDS\ntds.dit, and use of administrative tooling such as ntdsutil.exe. This analytic can support audit and incident response evidence, but the supplied ATT&CK object does not state detection coverage, severity, or known threat actor use.

Technical view

SOC and detection engineering teams should validate visibility on Windows systems for shadow copy creation, direct or unusual file access involving %SystemRoot%\NTDS\ntds.dit, execution of ntdsutil.exe, and use of volume management APIs where telemetry is available. Because no official detection logic or tactic mapping is supplied, teams should tune locally against legitimate backup, recovery, domain administration, and maintenance workflows before treating matches as high-confidence malicious activity.

Likely telemetry

Windows process creation events, especially for ntdsutil.exe
File access or file read activity involving %SystemRoot%\NTDS\ntds.dit
Shadow copy creation events
Volume management API or volume management activity logs where available
Endpoint detection and response telemetry from Windows systems

Detection direction

Confirm that domain controllers and relevant Windows assets are in telemetry scope.
Baseline legitimate NTDS.dit access patterns, backup operations, and shadow copy activity to reduce false positives.
Correlate shadow copy creation with suspicious file access to %SystemRoot%\NTDS\ntds.dit and related process execution.
Review ntdsutil.exe usage in context, since it can have legitimate administrative purposes.
Document blind spots where file access, shadow copy, or volume management telemetry is not collected.

Mitigation priorities

Prioritize strong monitoring and access control around domain controllers and NTDS.dit.
Restrict and review administrative use of tools capable of interacting with Active Directory database or volume services.
Ensure backup and recovery processes are documented so detection teams can distinguish authorized activity from suspicious behavior.
Validate incident response procedures for suspected Active Directory credential database access.
Use this analytic as supporting evidence for identity security and compliance readiness, not as a standalone assurance of protection.

Analyst notes and limits

The object is a detection analytic for Windows with an official description but no official detection logic, no ATT&CK tactic listing, and no supplied relationship context. Its value is strongest as a prompt to validate identity-critical telemetry and operational baselines around NTDS.dit access and shadow copy behavior.

This take is limited to the supplied ATT&CK fields and external reference. It does not claim active exploitation, attribution, complete detection coverage, or applicability outside Windows. Local environment data is required to determine fidelity, alert severity, and response thresholds.

Official MITRE ATT&CK definition

Analytic 1611

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: d30e5dfa751b54a9...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`d30e5dfa751b…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1611
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use