Hackers Compromise Active Directory to Steal NTDS.dit that Leads to Full Domain Compromise

Posted on By CWS

Energetic Listing (AD) stays the muse of authentication and authorization in Home windows environments. Menace actors concentrating on the NTDS.dit database can harvest each area credential, unlock lateral motion, and obtain full area compromise. 

Attackers leveraged native Home windows utilities to dump and exfiltrate NTDS.dit, bypassing customary defenses. 

The adversary on this case obtained DOMAIN ADMIN privileges by way of a profitable phishing marketing campaign and subsequent privilege escalation. As soon as elevated, they executed:

To create a Quantity Shadow Copy and extract NTDS.dit, silently bypassing file locks. With the SYSTEM hive obtained, attackers decrypted the database offline utilizing secretsdump.py from Impacket:

This chain enabled harvesting of NTLM and AES hashes for all area accounts with out triggering conventional endpoint alarms.

Full Kill Chain

After archiving and compressing the dump with tar -czf ntds.tar.gz c:tempntds.dit c:tempSYSTEM, the attackers exfiltrated information over SMB to a compromised file share.

NTDS.dit file dump

Trellix detected this exercise by way of two high-fidelity signatures: anomalous SMB write patterns exceeding baseline quantity and a customized exfiltration signature for big NTDS file transfers. 

Behavioral detection flagged sudden esentutl processes working outdoors upkeep home windows, and protocol anomaly alerts triggered on shadow copy reads to C:$VolumeShadowCopy.

Via Trellix Sensible, AI-driven alert correlation highlighted the development from VSS creation to SMB add, lowering analyst workload by 60% and reducing imply time to detect (MTTD) by 45%. 

The theft of NTDS.dit poses an existential risk to Home windows domains, offering attackers full management over all credentials.  

 NTDS.dit archived for exfiltration

Conventional defenses usually miss the low-and-slow strategies employed throughout shadow copy creation and offline decryption.

Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to characteristic your tales.

Cyber Security News Tags:, , , , , , , ,

Related Posts

2,000+ Devices Hacked Using Weaponized Social Security Statement Themes Cyber Security News
Key Administrator of World’s Most Popular Dark Web Cybercrime Platform Arrested Cyber Security News
Critical Adobe Illustrator Vulnerability Let Attackers Execute Malicious Code Cyber Security News
PupkinStealer Attacks Windows System to Steal Login Credentials & Desktop Files Cyber Security News
Salesforce AI Agent Vulnerability Allows Let Attackers Exfiltration Sensitive Data Cyber Security News
Smart Electric Vehicles Face Hidden Cyber Vulnerabilities Exposing Drivers to Risks Cyber Security News