Hunting for NTDS Database Dumping

The Ntds.dit database is a critical component of Active Directory, containing sensitive information such as user credentials, password hashes, and other domain data. If attackers dump this database, they gain the keys to the entire Active Directory environment, potentially compromising all systems within the domain.

Attack Overview

Attackers can exploit legitimate utilities like ntdsutil to dump the Ntds.dit database. This blending with legitimate operations makes detection challenging. Here's a typical attack workflow:

  1. Command Execution:

    • The attacker runs ntdsutil with parameters to create a backup of the Ntds.dit database, e.g.:

      ntdsutil "ac i ntds" "ifm" "create full C:\Users\Administrator\Desktop\NTDS_BACKUP" q q

  2. Output:

    • The database is dumped, along with critical registry hives like SYSTEM and SECURITY.

  3. Exfiltration:

    • The dumped files are then transferred to the attacker's machine for offline analysis.

Detection Techniques

Key Event IDs to Monitor

The activity of dumping Ntds.dit triggers several notable events in the Application Event Logs with the ESENT event source. Focus on the following:

  1. Event ID 325:

    • Indicates the creation of a new database.

    • Look for abnormal paths in the File Path field (anything other than C:\Windows\NTDS\).

  2. Event ID 327:

    • Indicates that a database instance was detached.

    • Again, check the File Path for irregularities.

  3. Event ID 216:

    • Logged when the Ntds.dit file is written outside its default location.

    • The path should be analyzed to detect anomalies.

Example Detection Steps:

  • Filter for Events:

    • Use Event Viewer to filter Application Logs by ESENT event source.

    • Focus on Event IDs 325, 327, and 216.

  • Correlate Timestamps:

    • The events often occur in quick succession (milliseconds apart).

  • Keyword Search:

    • Use the Find function in Event Viewer to search for ntds.

Sample Event Analysis

  • Event ID 325:

    A new database was created. 
File Path: C:\Users\Administrator\Desktop\NTDS_BACKUP\ntds.dit

  • Event ID 327:

    Database engine detached the database.
File Path: C:\Users\Administrator\Desktop\NTDS_BACKUP\ntds.dit

  • Event ID 216:

    The database file ntds.dit was written to disk outside of its default location.

These correlated events signal potential malicious activity.

Mitigation Strategies

  1. Restrict Administrative Privileges:

    • Limit the number of users with access to Domain Controllers (DCs).

  2. Audit Administrative Access:

    • Continuously monitor logins and administrative actions on DCs.

  3. Enable and Monitor Logging:

    • Ensure Event ID 325, 327, and 216 are captured and regularly reviewed.

  4. Alert on Anomalous Paths:

    • Configure alerts for file operations outside C:\Windows\NTDS\.

  5. Conduct Regular Audits:

    • Periodically audit backup locations and ensure they align with operational policies.

Key Points

By closely monitoring key ESENT events and correlating timestamps, defenders can effectively identify and respond to attempts at dumping the Ntds.dit database. These proactive measures reduce the risk of complete Active Directory compromise.

PreviousHunting for LDAP Enumerations (Bloodhound_Sharphound)NextHunting for Golden Ticket Attacks

Last updated