NTDS.dit Password Extraction

How to detect, prevent, and mitigate NTDS.dit Password Extraction

By stealing the NTDS.dit file – Active Directory’s database – an attacker can extract a copy of every user’s password hash and subsequently act as any user in the domain.

Once the hashes have been extracted or cracked, there is no limitation to what the attacker can do with them.

Request a Free Trial

Powered by ChronoForms - ChronoEngine.com

STEALTHbits’ NTDS.dit Password Extraction Solution

STEALTHbits’ products provide a multitude of ways to detect, prevent, and mitigate NTDS.dit Password Extraction.

Detect NTDS.dit Password Extraction Attack

The best detection is to look for unexpected access events on the NTDS.dit file.

APPROACH

NTDS.dit File Access

DESCRIPTION

Monitor for access to the NTDS.dit file in the following ways:

  • Direct access to the file on the file system. This file is locked by Active Directory while in use so typically an attacker cannot obtain the file without stopping the Active Directory service. Monitoring for access events as well as access denied events by user accounts can provide meaningful insight into unwanted access attempts, because the AD service runs as Local System.
  • Access to the NTDS.dit file through Volume Shadow Copies. While the file is locked attackers are able to create a shadow copy of the entire drive and extract the NTDS.dit file from the shadow copy.

PRODUCT: StealthDEFEND

Prevent NTDS.dit Password Extraction Attack

In order to prevent malicious access to the NTDS.dit file, you can implement blocking rules.

APPROACH

NTDS.dit File Access Blocking

DESCRIPTION

Block access to the NTDS.dit file through Volume Shadow Copies and direct access on the file system. This will ensure even if an attacker stops Active Directory to unlock the file and has full admin rights, they will not be able to gain access to it directly.

PRODUCT: StealthINTERCEPT

DOWNLOAD OUR COMPLETE ATTACK-TO-PRODUCT MAPPING GUIDE

Download

Mitigate NTDS.dit Password Extraction Attack

The best way to protect against attacks leveraging the NTDS.dit file is to tightly control the administrative groups that provide access to your domain controllers.

APPROACH

DC Logon Groups

DESCRIPTION

Perform reviews of all domain groups which provide logon rights to domain controllers (e.g. Domain Admins, Server Operators) as the members of these groups can gain access to the Ntds.dit file which resides on the file system of the domain controller. Perform regular reviews and remove unnecessary members.

PRODUCT: StealthAUDIT

Seeing is believing.

Request a Demo

Resources

StealthAUDIT for Active Directory

Data Sheet

Learn More

StealthDEFEND for Active Directory

Data Sheet

Learn More

StealthINTERCEPT Enterprise Password Enforcer

Data Sheet

Learn More

Free Risk Analysis STEALTHbits' Credentials and Data Security Assessment is your Business-Justification-in-a-Box!x