Chimera has gathered the SYSTEM registry and ntds.dit files from target systems.[4] Chimera specifically has used the NtdsAudit tool to dump the password hashes of domain users via msadcs.exe "NTDS.dit" -s "SYSTEM" -p RecordedTV_pdmp.txt --users-csv RecordedTV_users.csv and used ntdsutil to copy the Active Directory database.[5]
Wizard Spider has gained access to credentials via exported copies of the ntds.dit Active Directory database. Wizard Spider has also created a volume shadow copy and used a batch script file to collect NTDS.dit with the use of the Windows utility, ntdsutil.[26][27]
Note: Events 4688 (Microsoft Windows Security Auditing) and 1 (Microsoft Windows Sysmon) provide context of commands and parameters being executed via creation of a new process. Event 800 (PowerShell) provides context of commands and parameters being executed via PowerShell. This detection is based on known Windows utilities commands and parameters that can be used to copy the ntds.dit file. It is recommended to keep the list of commands and parameters up to date.
Note: Events 4656 and 4663 (Microsoft Windows Security Auditing) provide context of processes and users requesting access or accessing file objects (ObjectType = File) such as C:\Windows\NTDS\ntds.dit. It is important to note that, in order to generate these events, a System Access Control List (SACL) must be defined for the ntds.dit file. Access rights that allow read operations on file objects and its attributes are %%4416 Read file data, %%4419 Read extended file attributes, %%4423 Read file attributes. If you search for just the name of the file and not the entire directory, you may get access events related to the ntds.dit file within a snapshot or volume shadow copy.
Events 4656 and 4663 (Microsoft Windows Security Auditing) provide context of processes and users creating or copying file objects (ObjectType = File) such as C:\Windows\NTDS\ntds.dit. It is important to note that, in order to generate these events, a System Access Control List (SACL) must be defined for the ntds.dit file. In order to filter file creation events, filter access rigths %%4417 Write data to the file and %%4424 Write file attributes.
Why is there 2 files named ntds.dit. C:\Windows\NTDS\ntds.dit and C:\Windows\System32\ntds.dit? Is there any difference between them?Another question, are changes to AD written to edb.log are equivalent to entries stored in System32\Winevt\Logs\Security.evtx?
During normal operations the Active Directory service will do an online defragmentation of the Active Directory database (always called ntds.dit) each 12 hours. This online defrag will arrange all pages in an optimal way internal in the ntds.dit, however the file size will never shrink, sometimes even grow. During the years of operations of the ntds.dit the file size will increase as user accounts, organizational units, groups, computers, dns records and more are added and later removed. When deleted objects are finally removed (after the so called tombstone lifetime, typically 180 days) the space they have occupied will unfortunately not decrease.
The actual size of the ntds.dit could be easily studied through Explorer, as above. The size of the database is in this example around 575 MB. Note that Active Directory does not use a file level replication, so the file could be of various size on each Domain Controller in your domain. If wanted there is the possibility to take the AD services offline on one DC and then do an offline defragmentation of ntds.dit. This would both arrange all pages the best possible way, and also to reclaim any empty space inside the database, which could make backup and restore faster and also possible increase AD performance.
The actor may try to exfiltrate the ntds.dit file and the SYSTEM registry hive from Windows domain controllers (DCs) out of the network to perform password cracking [T1003.003]. (The ntds.dit file is the main Active Directory (AD) database file and, by default, is stored at %SystemRoot%\NTDS\ntds.dit. This file contains information about users, groups, group memberships, and password hashes for all users in the domain; the SYSTEM registry hive contains the boot key that is used to encrypt information in the ntds.dit file.) Although the ntds.dit file is locked while in use by AD, a copy can be made by creating a Volume Shadow Copy and extracting the ntds.dit file from the Shadow Copy. The SYSTEM registry hive may also be obtained from the Shadow Copy. The following example commands show the actor creating a Shadow Copy and then extracting a copy of the ntds.dit file from it.
The actor has executed WMIC commands [T1047] to create a copy of the ntds.dit file and SYSTEM registry hive using ntdsutil.exe. Each of the following actor commands is a standalone example; multiple examples are provided to show how syntax and file paths may differ per environment.
Each actor command above creates a copy of the ntds.dit database and the SYSTEM and SECURITY registry hives in the C:\Windows\Temp\ directory, where is replaced with the path specified in the command (e.g., pro, tmp, or McAfee_Logs). By default, the hidden ADMIN$ share is mapped to C:\Windows\, so the last command will direct standard output and error messages from the command to a file within the folder specified.
The actor has also saved the files directly to the C:\Windows\Temp and C:\Users\Public directories, so the entirety of those directory structures should be analyzed. Ntdsutil.exe creates two subfolders in the directory specified in the command: an Active Directory folder that contains the ntds.dit and ntds.jfm files, and a registry folder that contains the SYSTEM and SECURITY hives. Defenders should look for this folder structure across their network:
Note: If an actor can exfiltrate the ntds.dit and SYSTEM registry hive, the entire domain should be considered compromised, as the actor will generally be able to crack the password hashes for domain user accounts, create their own accounts, and/or join unauthorized systems to the domain. If this occurs, defenders should follow guidance for removing malicious actors from victim networks, such as CISA's Eviction Guidance for Network Affected by the SolarWinds and Active Directory/M365 Compromise.
Best practices for securing ntds.dit include hardening Domain Controllers and monitoring event logs for ntdsutil.exe and similar process creations. Additionally, any use of administrator privileges should be audited and validated to confirm the legitimacy of executed commands.
Once an attacker has administrator level access, many different tools can be used to extract the NTDS.DIT file and the SYSTEM hive from the domain controller. When the system can be taken offline, it's just a matter of restarting the server in Safe Mode and copying the files "c:windowsNTDSntds.dit" and "c:windowssystem32configSYSTEM" to their desired destination. In many cases however, taking a server offline could be noticed by users and it will leave a lot of audit log entries. A better option is to copy the files while the domain controller stays operational. Restoring copies of the files from a backup could be a quick solution, but this is not always an option. We might need to acquire a copy of the live database while leaving the server online. Because in this situation the files are in use, we will utilize some simple tricks.
Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.
You can sometimes improve the performance of Active Directory (AD) by moving the database file (ntds.dit) to a different physical drive. This can also be useful if you are running out of hard drive space. You can use the following steps to move the ntds.dit database file to a different location.
As described in its official definition we mainly need two files i.e. ntds.dit & System-hive for extracting NTLM password from inside it. Suppose while making penetration testing on host machine you found these file mention above then with help of following command you can extract hash password for admin account or for other accounts from inside it.
The DSInternals PowerShell Module provides easy-to-use cmdlets that are built on top of the Framework. The main features include offline ntds.dit file manipulation and querying domain controllers through the Directory Replication Service (DRS) Remote Protocol.
35fe9a5643