NTDS.dit Password Extraction

How to detect, prevent, and mitigate NTDS.dit Password Extraction

By stealing the NTDS.dit file – Active Directory’s database – an attacker can extract a copy of every user’s password hash and subsequently act as any user in the domain.

Once the hashes have been extracted or cracked, there is no limitation to what the attacker can do with them.

    Request A Free Trial

    Stealthbits’ NTDS.dit Password Extraction Solution

    Stealthbits’ products provide a multitude of ways to detect, prevent, and mitigate NTDS.dit Password Extraction.

    Detect NTDS.dit Password Extraction Attack

    The best detection is to look for unexpected access events on the NTDS.dit file.


    NTDS.dit File Access


    Monitor for access to the NTDS.dit file in the following ways:

    • Direct access to the file on the file system. This file is locked by Active Directory while in use so typically an attacker cannot obtain the file without stopping the Active Directory service. Monitoring for access events as well as access denied events by user accounts can provide meaningful insight into unwanted access attempts, because the AD service runs as Local System.
    • Access to the NTDS.dit file through Volume Shadow Copies. While the file is locked attackers are able to create a shadow copy of the entire drive and extract the NTDS.dit file from the shadow copy.



    Mitigate NTDS.dit Password Extraction Attack

    The best way to protect against attacks leveraging the NTDS.dit file is to tightly control the administrative groups that provide access to your domain controllers.


    DC Logon Groups


    Perform reviews of all domain groups which provide logon rights to domain controllers (e.g. Domain Admins, Server Operators) as the members of these groups can gain access to the Ntds.dit file which resides on the file system of the domain controller. Perform regular reviews and remove unnecessary members.


    Seeing is believing.


    © 2022 Stealthbits Technologies, Inc.