NTDS Exfiltration: Techniques for Stealing the Password Database from Windows Domain Controllers!

To understand the severity of NTDS exfiltration, one must first understand what the NTDS.dit file actually is and how it functions within a Windows ecosystem. The acronym "NTDS" stands for NT Directory Services, a legacy term that has persisted through the evolution of Windows Server. The file itself is an Extensible Storage Engine (ESE) database. It stores the Active Directory schema, configuration information, and domain data.

The most sensitive data within the NTDS.dit file consists of the password hashes. Active Directory does not store passwords in plain text. Instead, it stores a cryptographic representation known as an NTLM hash (and sometimes LM hashes, though this is heavily deprecated). Additionally, it stores Kerberos keys, which are essential for the Kerberos authentication protocol used in modern AD environments.

However, simply copying the NTDS.dit file from a running Domain Controller is not a straightforward task. Because the file is actively being used by the operating system and the Active Directory Domain Services (AD DS), it is locked by the system. A standard copy operation will fail with a sharing violation. Furthermore, even if an attacker manages to obtain a copy of the NTDS.dit file, the sensitive data within it (such as the password hashes) is encrypted.

This encryption is tied to a specific key stored in the system's registry, specifically the SYSTEM hive. To successfully extract and utilize the password hashes, an attacker must acquire both the NTDS.dit file and the Boot Key (often referred to as the SysKey), which is extracted from the SYSTEM registry hive. The Boot Key is used to decrypt the Password Encryption Key (PEK), which is stored within the NTDS.dit file itself. The PEK is then used to decrypt the actual password hashes. Therefore, NTDS exfiltration is a two-part heist: obtaining the database and obtaining the key to unlock it.

Adversaries employ a variety of ingenious techniques to bypass the file locks and extract the NTDS.dit file and the associated SYSTEM hive. These techniques generally require administrative privileges (specifically, Domain Admin or Enterprise Admin rights) on the Domain Controller.

Volume Shadow Copy Service (VSS)

One of the most prevalent and reliable methods for extracting locked files is utilizing the Windows Volume Shadow Copy Service (VSS). VSS is a built-in Windows feature designed to create backup copies or snapshots of computer files or volumes, even when they are in use. Attackers leverage command-line tools like vssadmin or PowerShell scripts to create a shadow copy of the system drive (typically the C: drive) where the NTDS.dit file resides.

Once the shadow copy is created, the attacker can access the locked files from the snapshot, as the shadow copy itself is not locked by the AD DS process. They simply copy the NTDS.dit file and the SYSTEM hive from the shadow copy volume to an accessible location, package them up, and exfiltrate them. This method is highly effective because it relies on native Windows functionality, making it difficult for some security solutions to distinguish from legitimate backup operations.

NTDSUtil

ntdsutil.exe is a legitimate, built-in command-line tool provided by Microsoft for managing Active Directory databases. It is intended for administrators to perform database maintenance, offline defragmentation, and directory recovery. However, attackers frequently abuse this tool to create full media installations (IFM) of the Active Directory database.

By executing the command ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q, an attacker can instruct ntdsutil to create a snapshot of the AD database and save the NTDS.dit file, along with the necessary registry hives (including SYSTEM), directly into the specified directory (c:\temp in this example). This technique is particularly dangerous because it automatically gathers both the database and the required keys in a single operation, streamlining the exfiltration process.

NinjaCopy and specialized tools

When native tools are closely monitored or restricted, attackers may turn to specialized, third-party utilities or PowerShell scripts designed to circumvent file locks directly. Tools like Invoke-NinjaCopy from the PowerSploit framework operate by reading raw volumes and parsing the NTFS file system structures to access the NTDS.dit file, completely bypassing the Windows API and the file locking mechanisms altogether.

Other specialized tools, such as secretsdump.py from the Impacket suite, can perform remote NTDS extraction using protocols like DCSync.

DCSync Attacks

A DCSync attack is a highly sophisticated technique that does not involve copying the NTDS.dit file directly from disk. Instead, the attacker impersonates a Domain Controller and utilizes the Directory Replication Service (DRS) Remote Protocol (MS-DRSR). By sending a DRSGetNCChanges request to a legitimate Domain Controller, the attacker tricks the DC into replicating the user credentials (including password hashes) directly to the attacker's machine.

This method requires specific Active Directory permissions (specifically, the 'Replicating Directory Changes' and 'Replicating Directory Changes All' rights), which are typically held by Domain Admins and Domain Controllers. DCSync is particularly stealthy because it exploits legitimate Active Directory replication mechanisms, generating less noise on the endpoint disk compared to file-copying methods.

The impact of a successful NTDS exfiltration is devastating. Once an attacker has extracted the password hashes, they can subject them to offline password cracking using powerful hardware and tools like Hashcat or John the Ripper. Weak passwords can be cracked in minutes, revealing the plain-text passwords of user accounts, including high-level executives and administrators.

Even if strong passwords resist cracking, the extracted NTLM hashes can be directly utilized in Pass-the-Hash (PtH) attacks. In a PtH attack, the adversary uses the hash itself to authenticate to network services, bypassing the need for the plain-text password entirely. With a complete list of domain hashes, the attacker achieves unfettered access to any system or resource in the network that relies on NTLM authentication.

Consider a scenario where an Advanced Persistent Threat (APT) group compromises a low-privileged workstation. Through lateral movement and privilege escalation, they eventually compromise an IT administrator's account. Using this account, they access a Domain Controller, execute a DCSync attack, and exfiltrate the password hashes for the entire organization.

Armed with these hashes, the APT group can now impersonate the CEO to access confidential financial documents, impersonate the database administrator to steal customer data, and create persistent, hidden "golden tickets" (using the krbtgt hash) to maintain access even if all user passwords are later reset. The entire network falls under the complete control of the attackers, leading to massive data breaches and operational paralysis.

Defending against NTDS exfiltration requires a defense-in-depth approach, focusing on restricting access to Domain Controllers, monitoring for suspicious activity, and implementing strong architectural security controls.

Restrict Domain Controller Access

The most critical mitigation is to strictly limit who can log on to and manage Domain Controllers.

• Implement a Tiered Administration Model: Separate administrative accounts into tiers. Tier 0 should be reserved exclusively for accounts that manage Domain Controllers and critical identity infrastructure. Ensure that Tier 0 administrators only log onto Tier 0 systems (DCs) and never expose their credentials to lower-tier workstations where they could be compromised.
• Use Privileged Access Workstations (PAWs): Administrators managing Active Directory should use dedicated, highly secured PAWs that are separate from their daily use workstations (which are exposed to email and web browsing risks).
• Implement Just-in-Time (JIT) Administration: Avoid permanent Domain Admin assignments. Use JIT administration solutions to grant administrative access only when needed and for a limited duration.

Monitoring and Alerting

Vigilant monitoring is essential for detecting the early stages of an exfiltration attempt.

• Monitor Event Logs: Closely monitor Windows Event Logs on Domain Controllers. Look for Event ID 4688 (Process Creation) indicating the execution of tools like vssadmin.exe, ntdsutil.exe, or suspicious PowerShell scripts.
• Detect DCSync: Monitor network traffic and Domain Controller logs for unusual replication requests. Security Information and Event Management (SIEM) systems can be configured to alert on DRSGetNCChanges requests originating from IPs that are not legitimate Domain Controllers. Event ID 4662 (An operation was performed on an object) on the DC can indicate DCSync activity when the properties being accessed relate to replication.
• Monitor VSS Activity: Alert on unexpected creation of Volume Shadow Copies, especially on Domain Controllers outside of approved backup windows.

Enhance Active Directory Security

Strengthening the overall AD posture reduces the likelihood of an attacker reaching the Domain Controller in the first place.

• Enforce Strong Passwords: Implement a robust password policy that requires complexity and length, making offline cracking of any extracted hashes significantly more difficult.
• Enable LSA Protection: Enable Local Security Authority (LSA) protection to prevent unauthorized processes from reading memory from LSASS, which can hinder credential dumping tools used during lateral movement towards the DC.
• Restrict Remote Access: Use Windows Firewall and network segmentation to restrict Remote Desktop Protocol (RDP), WinRM, and other management protocols to Domain Controllers, allowing access only from designated management subnets or PAWs.
• Regularly Audit Permissions: Routinely audit Active Directory permissions, paying special attention to the 'Replicating Directory Changes' right, ensuring it is only granted to necessary service accounts and Domain Controllers.