NTDS.dit Password Extraction

How to detect, prevent, and mitigate NTDS.dit Password Extraction

By stealing the NTDS.dit file – Active Directory’s database – an attacker can extract a copy of every user’s password hash and subsequently act as any user in the domain.

Once the hashes have been extracted or cracked, there is no limitation to what the attacker can do with them.

LEARN MORE ABOUT NTDS.DIT PASSWORD EXTRACTION

    Request A Free Trial


    Stealthbits’ NTDS.dit Password Extraction Solution

    Stealthbits’ products provide a multitude of ways to detect, prevent, and mitigate NTDS.dit Password Extraction.

    Detect NTDS.dit Password Extraction Attack

    The best detection is to look for unexpected access events on the NTDS.dit file.

    APPROACH

    NTDS.dit File Access

    DESCRIPTION

    Monitor for access to the NTDS.dit file in the following ways:

    • Direct access to the file on the file system. This file is locked by Active Directory while in use so typically an attacker cannot obtain the file without stopping the Active Directory service. Monitoring for access events as well as access denied events by user accounts can provide meaningful insight into unwanted access attempts, because the AD service runs as Local System.
    • Access to the NTDS.dit file through Volume Shadow Copies. While the file is locked attackers are able to create a shadow copy of the entire drive and extract the NTDS.dit file from the shadow copy.

    PRODUCT: StealthDEFEND

    DOWNLOAD OUR COMPLETE ATTACK-TO-PRODUCT MAPPING GUIDE

    DOWNLOAD

    Mitigate NTDS.dit Password Extraction Attack

    The best way to protect against attacks leveraging the NTDS.dit file is to tightly control the administrative groups that provide access to your domain controllers.

    APPROACH

    DC Logon Groups

    DESCRIPTION

    Perform reviews of all domain groups which provide logon rights to domain controllers (e.g. Domain Admins, Server Operators) as the members of these groups can gain access to the Ntds.dit file which resides on the file system of the domain controller. Perform regular reviews and remove unnecessary members.

    PRODUCT: StealthAUDIT

    Seeing is believing.

    REQUEST A DEMO

    RESOURCES

    StealthAUDIT for Active Directory

    DATA SHEET

    LEARN MORE

    StealthDEFEND for Active Directory

    DATA SHEET

    LEARN MORE

    StealthINTERCEPT Enterprise Password Enforcer

    DATA SHEET

    LEARN MORE

    Free Risk Assessment

    Request a Trial

    Request a Demo

    Browse the Resource Library

    © 2022 Stealthbits Technologies, Inc.

    Privacy Policy