Threat actors recently infiltrated a corporate environment, dumped the AD database file NTDS.dit, and nearly achieved full domain control.
AD acts as the backbone of Windows domains, storing account data, group policies, and password hashes. Compromise of its core file effectively hands attackers the keys to the kingdom.
Attack Overview
The breach began when attackers gained administrative privileges on a workstation through a phishing email that dropped a remote access tool.
From there, they moved laterally, capturing LSASS process memory to steal password hashes with Mimikatz.
Using Pass-the-Hash techniques, they authenticated to servers and ultimately reached a domain controller.
Once at the domain controller, the attackers faced a locked AD database. To bypass the lock, they used Volume Shadow Copy Service (VSS) to create a hidden snapshot of the system volume.
This allowed them to quietly extract the NTDS.dit file and the SYSTEM registry hive, which contains the decryption key. With these two files in hand, they could decrypt and process the entire AD database offline.
Rather than rely on noisy custom tools, the adversaries used built-in Windows commands like vssadmin and PowerShell utilities to copy locked files.
They repaired the shadow copy with esentutl before dumping credentials with SecretsDump.
Finally, they compressed the NTDS.dit and SYSTEM hive into an archive and moved it to an attacker-controlled server using standard SMB connections to blend into normal traffic.
Trellix Network Detection and Response (NDR) identified key stages of the breach by analyzing behavioral patterns and protocol anomalies rather than simple signatures.
The solution flagged:
- Suspicious SMB Traffic: High-volume file transfers to an external IP prompted an alert when service protocols deviated from normal patterns.
- Shadow Copy Creation: Unusual use of vssadmin by a non-administrative account triggered a behavioral detection, spotlighting potential database exfiltration.
- Archive Exfiltration: A sudden spike in SMB read operations on system volume snapshots was marked as a high-fidelity exfiltration signature.
Throughout the incident, Trellix NDR’s AI-powered engine correlated these alerts into a coherent kill chain, guiding analysts from initial compromise to data theft.
This contextual view accelerated response times and helped contain the breach before attackers could pivot further.
This breach underscores three vital lessons:
- Monitor Native Tool Usage: Alert on atypical VSS and registry export operations, even when using built-in commands.
- Profile Protocol Behaviors: Establish baselines for SMB and RPC traffic to catch subtle exfiltration attempts.
- Correlate Alerts into Chains: Group individual anomalies into a unified attack narrative to guide swift action.
By detecting stealthy AD database theft at multiple points, modern NDR platforms like Trellix NDR can turn the tide against identity-based attacks.
Security teams should tune their monitoring to spot the invisible signs of NTDS.dit extraction before full domain compromise occurs.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
