Active Directory is a key target for hackers, so a recent report detailing Active Directory attack techniques contains useful lessons for security defenders.
The attack, which targeted the critical NTDS.dit file at the core of Active Directory, was detailed in a blog post by Trellix Staff Research Scientist Maulik Maheta.
“In a Windows domain environment, Active Directory (AD) is the central nervous system that governs who can log in, what they can access, and how trust is enforced throughout the organization,” Maheta wrote.
“For an attacker, compromising the NTDS.dit file is equivalent to discovering the blueprint of your digital identity system,” he wrote.
Active Directory Attack is ‘Identity Theft on the Infrastructure Level’
NTDS.dit is the NT Directory Services Directory Information Tree and “contains the domain’s entire database,” storing user accounts, group policies, computer objects and password hashes for all domain users, including privileged accounts such as Domain Administrators.
With the right tools and access to the SYSTEM hive for decryption, attacks “can extract these hashes, crack passwords offline, and impersonate anyone,” Maheta wrote. “They no longer need to phish your users or brute-force logins; they now have the keys to the kingdom.”
To gain administrative privileges on a host, attackers often use native tools such as vssadmin to create a Volume Shadow Copy (VSS) and bypass file locks. They can then extract NTDS.dit, repair it with the esentutl database utilities, and then perform a credential dump with tools like SecretsDump, Mimikatz, or a simple Copy Command, “all without triggering traditional alarms.”
“This is why stealing NTDS.dit is so dangerous” Maheta wrote. “It’s not just data loss; it’s also identity theft on the infrastructure level.”
Active Directory Attack Steps
Maheta outlined the attack in four steps.
The first step after obtaining network access is stealing password hashes through methods such as DCSync, extracting hashes from ntds.dit, or extracting hashes from the lsass.exe process memory that stores hashes for currently logged-in users.
The attacker can then use the Pass the Hash method to authenticate as a user using a stolen password hash, launching cmd.exe using the stolen hash, or using it to connect to network resources that support NTLM authentication.
From there, the attacker can move laterally through the network by, for example, using the PSExec tool to execute commands on remote systems, “thereby expanding their footprint and repeating the cycle of credential theft and lateral movement on an increasing number of systems.”
An attacker with access to a domain controller’s file system could exfiltrate NTDS.dit and the HKEY_LOCAL_MACHINESYSTEM registry hive needed to retrieve the Boot Key for decrypting the NTDS.dit file. AD places a file system lock on the ntds.dit file to thwart attempts to copy it, but Maheta noted a few ways around that protection:
- Taking a snapshot of the volume with VSS, then extracting the NTDS.dit file from it
- Using a PowerShell utility to copy files while in use
- Creating Active Directory installation media files using a built-in program like DSDBUtil.exe or NTDSUtil.exe.
“The theft of the NTDS.dit file is more than just a data breach; it is a complete loss of identity, trust, and control within a Windows domain,” Maheta concluded. “What makes this threat particularly dangerous is its stealth: attackers frequently use native tools, low-noise techniques, and encrypted exfiltration to avoid detection.”
Trellix NDR can help, he said, by detecting “subtle behavioral patterns and exfiltration attempts that traditional defenses miss.”
