How to detect, prevent, and mitigate NTDS.dit Password Extraction
By stealing the NTDS.dit file – Active Directory’s database – an attacker can extract a copy of every user’s password hash and subsequently act as any user in the domain.
Once the hashes have been extracted or cracked, there is no limitation to what the attacker can do with them.
Stealthbits’ products provide a multitude of ways to detect, prevent, and mitigate NTDS.dit Password Extraction.
Detect NTDS.dit Password Extraction Attack
The best detection is to look for unexpected access events on the NTDS.dit file.
APPROACH
NTDS.dit File Access
DESCRIPTION
Monitor for access to the NTDS.dit file in the following ways:
Direct access to the file on the file system. This file is locked by Active Directory while in use so typically an attacker cannot obtain the file without stopping the Active Directory service. Monitoring for access events as well as access denied events by user accounts can provide meaningful insight into unwanted access attempts, because the AD service runs as Local System.
Access to the NTDS.dit file through Volume Shadow Copies. While the file is locked attackers are able to create a shadow copy of the entire drive and extract the NTDS.dit file from the shadow copy.
The best way to protect against attacks leveraging the NTDS.dit file is to tightly control the administrative groups that provide access to your domain controllers.
APPROACH
DC Logon Groups
DESCRIPTION
Perform reviews of all domain groups which provide logon rights to domain controllers (e.g. Domain Admins, Server Operators) as the members of these groups can gain access to the Ntds.dit file which resides on the file system of the domain controller. Perform regular reviews and remove unnecessary members.