Stealthbits’ products provide a multitude of ways to detect, prevent, and mitigate NTDS.dit Password Extraction.
The best detection is to look for unexpected access events on the NTDS.dit file.
NTDS.dit File Access
Monitor for access to the NTDS.dit file in the following ways:
The best way to protect against attacks leveraging the NTDS.dit file is to tightly control the administrative groups that provide access to your domain controllers.
DC Logon Groups
Perform reviews of all domain groups which provide logon rights to domain controllers (e.g. Domain Admins, Server Operators) as the members of these groups can gain access to the Ntds.dit file which resides on the file system of the domain controller. Perform regular reviews and remove unnecessary members.