NTDS Extraction

NTDS exfiltration refers to the technique that attackers use to retrieve the NTDS.dit database that stores Active Directory secrets such as password hashes and Kerberos keys. Once retrieved, the attacker parses a copy of this file offline, providing an alternative to DCSync attacks for retrieval of the Active Directory's sensitive content.

This Indicator of Attack sends an alert when an event shows the creation of a shadow copy of the database file in an attempt to exfiltrate the NTDS.dit database.

Detection Type Related to a Common Vulnerabilities and Exposures (CVE) Available from Tenable.ad version
Generic IOC No 3.15

How the attack works

Since the operating system constantly accesses the NTDS.dit file, an attacker cannot read this file while it's being modified. In order to retrieve the password hashes from the NTDS.dit file, an attacker must meet one of the following criteria;

  • No shadow copy exists, so the attacker must create a new one to represent a backup or a snapshot of the "C:" volume to get access to the targeted NTDS.dit file.

  • A shadow copy already exists, so the attacker has direct access to it.

Once the attacker creates a shadow copy, they only have to exfiltrate the NTDS.dit file from the shadow volume (e.g. \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\ntds.dit) to a location which they control.

A broad range of tools can carry out this type of attack, including legitimate administration Windows tools such as vssadmin or esentutl.

How the IoA works

The NTDS Extraction Indicator of Attack can detect a large variety of attack tools by correlating Windows events specific to each step of this attack. Two main events drive the detection algorithm: one specific to the creation of the shadow copy, and the other specific to the creation of a process on the domain controller. This second step allows the detection of malicious exfiltration activity independently of the creation of a shadow copy.

As a consequence, the IoA can detect at an early stage any suspicious patterns linked to an exfiltration attack. Also, using others relevant Windows events, the IoA can provide a detailed description of an NTDS exfiltration attack.

Specific modifications in the environment

To have access to the full command line in the event Microsoft-Windows-Security-Auditing/4688, the IoA script automatically configures the policy settings on your domain controllers through the Tenable.ad Group Policy Object (GPO), as follows:

Location of the setting Security policy setting Value
Computer Configuration > Administrative Templates > System > Audit Process Creation Include command line in process creation events Enabled

Events Auditing Policy

Provider Name Channel Event ID Audit Policies Value
VSSAudit Security 8222

├ Category: Object Access

└─ Sub-category: Audit Application Generated

Success
Microsoft-Windows-Security-Auditing Security 4688

├ Category: Detailed Tracking

└─ Sub-category: Audit Process Creation

Success
Microsoft-Windows-Security-Auditing Security 5145

├ Category: Object Access

└─ Sub-category: Audit Detailed File Share

Success
ESENT Application 325 N/A N/A
Microsoft-Windows-WMI-Activity Microsoft-Windows-WMI-Activity/Operational 5857 N/A N/A
Microsoft-Windows-Security-Auditing Security 4624

├ Category: Logon/Logoff

└─ Sub-category: Audit Logon

Success
Microsoft-Windows-Security-Auditing Security 4634

├ Category: Logon/Logoff

└─ Sub-category: Audit Logoff

Success
Microsoft-Windows-Security-Auditing Security 4689

├ Category: Detailed Tracking

└─ Sub-category: Audit Process Termination

Success
Microsoft-Windows-Security-Auditing Security 4674

├ Category: Privilege Use

└─ Sub-category: Audit Sensitive Privilege Use

Success / Failure
Other requirements
Sysmon extension No
Honey Account No

See also