Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Active Directory (AD) database files are a common target after an attacker has a foothold in an AD environment. An attacker can leverage legitimate binary files or attack tools to copy and decrypt these files. With AD information, an attacker can compromise any AD account.
Kill Chain
Risk Score
88
In a Windows AD environment, directory information is stored in a database called the Windows NT Directory Services file (ntds.dit). A domain controller (DC) has a ntds.dit file that stores password hashes, user information, and other secrets. Typically, ntds.dit is inaccessible to users, but this file can be copied by built-in Windows utilities. For example, ntdsutil.exe is a Windows binary file that is available by default in a DC. An attacker with access to a DC can run an ntdsutil command to copy content from the ntds.dit file and registry hives, which are system files that contain secret information needed to decrypt ntds.dit. The attacker transfers the copied data to a file share over the SMB file sharing protocol. Later, the attacker can download this data and run cracking tools to retrieve passwords from the hashes.
Strictly manage the users and groups who have domain permissions that allow them to replicate information from a domain controller (DC)
Strengthen the security on Windows devices by enforcing strong authentication policies and creating a list of approved applications
