Forum Discussion
Azure ATP posibilities to detect NTDS.dit dump
Hello, Does Azure ATP detect activities related with getting a copy of the file NTDS.dit? For example when dumping the file with native built in tools when Administrator is logged on to DC: Le...
Daugirdas_Sinkevicius yes it does - and boy did it cause some angst... 
David Caddick, just want to clarify...have you ever tested this?
I've deployed fresh new AATP 2 month ago, and once we dumped NTDS.dit on DC, ATP did not show any alert 😞
Double checked - ATP sensors were working fine on all DCs during the test.
Daugirdas_Sinkevicius specifically this is what we saw:
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/exfiltration-alerts#data-exfiltration-over-smb-external-id-2030
Might check using SMB maybe?
