NTDS Extraction
NTDS exfiltration refers to the technique that attackers use to retrieve the NTDS.dit database that stores Active Directory secrets such as password hashes and Kerberos keys. Once retrieved, the attacker parses a copy of this file offline, providing an alternative to DCSync attacks for retrieval of the Active Directory's sensitive content.
This Indicator of Attack sends an alert when an event shows the creation of a shadow copy of the database file in an attempt to exfiltrate the NTDS.dit database.
| Detection Type | Related to a Common Vulnerabilities and Exposures (CVE) | Available from Tenable.ad version |
|---|---|---|
| Generic IOC | No | 3.15 |
How the attack works
Since the operating system constantly accesses the NTDS.dit file, an attacker cannot read this file while it's being modified. In order to retrieve the password hashes from the NTDS.dit file, an attacker must meet one of the following criteria;
-
No shadow copy exists, so the attacker must create a new one to represent a backup or a snapshot of the "C:" volume to get access to the targeted NTDS.dit file.
-
A shadow copy already exists, so the attacker has direct access to it.
Once the attacker creates a shadow copy, they only have to exfiltrate the NTDS.dit file from the shadow volume (e.g. \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\ntds.dit) to a location which they control.
A broad range of tools can carry out this type of attack, including legitimate administration Windows tools such as vssadmin or esentutl.
How the IoA works
The NTDS Extraction Indicator of Attack can detect a large variety of attack tools by correlating Windows events specific to each step of this attack. Two main events drive the detection algorithm: one specific to the creation of the shadow copy, and the other specific to the creation of a process on the domain controller. This second step allows the detection of malicious exfiltration activity independently of the creation of a shadow copy.
As a consequence, the IoA can detect at an early stage any suspicious patterns linked to an exfiltration attack. Also, using others relevant Windows events, the IoA can provide a detailed description of an NTDS exfiltration attack.
Specific modifications in the environment
To have access to the full command line in the event Microsoft-Windows-Security-Auditing/4688, the IoA script automatically configures the policy settings on your domain controllers through the Tenable.ad Group Policy Object (GPO), as follows:
| Location of the setting | Security policy setting | Value |
|---|---|---|
| Computer Configuration > Administrative Templates > System > Audit Process Creation | Include command line in process creation events | Enabled |
Events Auditing Policy
| Provider Name | Channel | Event ID | Audit Policies | Value |
|---|---|---|---|---|
| VSSAudit | Security | 8222 |
├ Category: Object Access └─ Sub-category: Audit Application Generated |
Success |
| Microsoft-Windows-Security-Auditing | Security | 4688 |
├ Category: Detailed Tracking └─ Sub-category: Audit Process Creation |
Success |
| Microsoft-Windows-Security-Auditing | Security | 5145 |
├ Category: Object Access └─ Sub-category: Audit Detailed File Share |
Success |
| ESENT | Application | 325 | N/A | N/A |
| Microsoft-Windows-WMI-Activity | Microsoft-Windows-WMI-Activity/Operational | 5857 | N/A | N/A |
| Microsoft-Windows-Security-Auditing | Security | 4624 |
├ Category: Logon/Logoff └─ Sub-category: Audit Logon |
Success |
| Microsoft-Windows-Security-Auditing | Security | 4634 |
├ Category: Logon/Logoff └─ Sub-category: Audit Logoff |
Success |
| Microsoft-Windows-Security-Auditing | Security | 4689 |
├ Category: Detailed Tracking └─ Sub-category: Audit Process Termination |
Success |
| Microsoft-Windows-Security-Auditing | Security | 4674 |
├ Category: Privilege Use └─ Sub-category: Audit Sensitive Privilege Use |
Success / Failure |
| Other requirements | ||||
| Sysmon extension | No | |||
| Honey Account | No | |||
See also