Forensics traces of NTDS.dit dumping using ntdsutil utility

Active Directory stores information about members of the domain including devices and users to verify credentials and define access rights. The Active Directory domain database is stored in the NTDS.dit file. By default the NTDS file will be located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.

The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.

• Volume Shadow Copy
• secretsdump.py
• Using the in-built Windows tool, ntdsutil.exe
• Invoke-NinjaCopy

In this post we will test in-built command ntdsutil.exe (Windows 2008 and later) that does a backup of the crucial NTDS.dit file, and the SYSTEM file (containing the key required to extract the password hashes), without the need to use VB Script, third-party tools or injecting into running processes.

All you need is a command prompt running with administrator privileges, and the following commands:

This same technique is implemented in one of OilRig/APT34 post exploitation tools named Gon.exe (xHunt campaign) described here by Unit42:

Upon execution, Gon.exe process will create a process "cmd.exe /c" with following commandline:

Threat hunters can create a real time detection for this by monitoring cmd.exe with similar command line and ntdsutil execution.

Checking Domain Controller default application event logs, we come accross an interesting set of events that can be used as a forensic indicator for this technique:

• Log Name: Application
• Provider Name: "ESENT"
• EventIDs of interest: 325, 326, 327 and 216

Below example of traces of the NTDS.dit copy creation:

As can be seen above the same volume snapshot path is reported in both screenshots (Event Log and Gon.exe console).

More related events capturing other interesting details:

The path of the created ntds.dit copy is also captured in eventids 325 and 327. Eventid 216 also shows the creation of  a fresh copy of ntds.dit.

The only limitation of those events is their highvolatility in time, as the application events logs get filled quickly thus chances finding them post compromise are lower (it's recommended to augment the size of all event logs in general).

MITRE ATT&CK Mapping:

Tactic: Crednetial Access

Technique: Credential Dumping

Technique ID: T1003

Procedure: Ntdsutil 

References:

https://www.cyberis.co.uk/2014/02/obtaining-ntdsdit-using-in-built.html

https://attack.mitre.org/techniques/T1003/

https://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/