Netwrix and Stealthbits merge to better secure sensitive data. LEARN MORE

NTDS.dit Password Extraction

How to detect, prevent, and mitigate NTDS.dit Password Extraction

By stealing the NTDS.dit file – Active Directory’s database – an attacker can extract a copy of every user’s password hash and subsequently act as any user in the domain.

Once the hashes have been extracted or cracked, there is no limitation to what the attacker can do with them.

    Request A Free Trial

    Thank You For Your Request

    A Stealthbits representative will contact you shortly.

    If you have any questions, you can contact our sales department by sending an inquiry to sales@stealthbits.com.


    Stealthbits’ NTDS.dit Password Extraction Solution

    Stealthbits’ products provide a multitude of ways to detect, prevent, and mitigate NTDS.dit Password Extraction.

    Detect NTDS.dit Password Extraction Attack

    The best detection is to look for unexpected access events on the NTDS.dit file.

    APPROACH

    NTDS.dit File Access

    DESCRIPTION

    Monitor for access to the NTDS.dit file in the following ways:

    • Direct access to the file on the file system. This file is locked by Active Directory while in use so typically an attacker cannot obtain the file without stopping the Active Directory service. Monitoring for access events as well as access denied events by user accounts can provide meaningful insight into unwanted access attempts, because the AD service runs as Local System.
    • Access to the NTDS.dit file through Volume Shadow Copies. While the file is locked attackers are able to create a shadow copy of the entire drive and extract the NTDS.dit file from the shadow copy.

    PRODUCT: StealthDEFEND

    DOWNLOAD OUR COMPLETE ATTACK-TO-PRODUCT MAPPING GUIDE

    Mitigate NTDS.dit Password Extraction Attack

    The best way to protect against attacks leveraging the NTDS.dit file is to tightly control the administrative groups that provide access to your domain controllers.

    APPROACH

    DC Logon Groups

    DESCRIPTION

    Perform reviews of all domain groups which provide logon rights to domain controllers (e.g. Domain Admins, Server Operators) as the members of these groups can gain access to the Ntds.dit file which resides on the file system of the domain controller. Perform regular reviews and remove unnecessary members.

    PRODUCT: StealthAUDIT

    Seeing is believing.

    © 2021 Stealthbits Technologies, Inc.