Cybersecurity threats targeting Active Directory (AD) domain controllers have increased in complexity, with attackers leveraging various techniques to extract credentials. This article explores three primary attack methods used to harvest credentials from NTDS.dit, the core database containing domain user credentials. We also discuss detection strategies to help defenders recognize and mitigate these threats.
In a Windows Active Directory (AD) environment, NTDS.dit is a database file that stores:
Usernames and password hashes
Group memberships
Security policies
Since domain controllers (DCs) authenticate users across the network, compromising NTDS.dit provides attackers with domain-wide access. However, this file is not accessible by default, requiring specific techniques to extract its data.
NTDSutil.exe is a built-in Windows tool used for managing and backing up Active Directory databases. Attackers can abuse it to create a backup copy of NTDS.dit and extract password hashes.
Run the following command on the domain controller:
__________________________________________________________
ntdsutil “ac i ntds” “ifm” “create full C:\backup” q q
_________________________________________________________
The tool generates a backup containing NTDS.dit and registry hives (SYSTEM and SECURITY).
Attackers extract password hashes using tools like Impacket’s secretsdump.py.
Directory Service Event Logs:
Event ID 1917 → NTDS.dit backup created
Event IDs 700 & 701 → Defragmentation of the database
Look for unauthorized use of NTDSutil.exe in PowerShell logs
Windows Volume Shadow Copy Service (VSS) allows system backups without disrupting operations. Attackers abuse this feature to copy NTDS.dit from a shadow volume.
Run DiskShadow.exe to create a shadow copy:
_______________________________________________________
diskshadow /s shadow.txt
_______________________________________________________
(shadow.txt contains configuration commands to create and mount a shadow copy.)
Mount the shadow copy as a drive and extract NTDS.dit.
Use secretsdump.py to retrieve password hashes.
System Event Logs (Service Control Manager):
Event ID 7036 → Volume Shadow Copy service started
Monitor abnormal VSS usage, especially on domain controllers
If an attacker obtains Domain Admin credentials, they can remotely dump NTDS.dit hashes without accessing the domain controller directly. This technique leverages Microsoft’s Directory Replication Service (DRS) API.
Run the following command using Impacket’s secretsdump:
_______________________________________________________
secretsdump.py -just-dc DOMAIN/Administrator@DC_IP
_______________________________________________________
The tool extracts NTLM password hashes for all users on the domain.
Security Event Logs:
Event ID 4624 → Unusual Domain Admin logins
Look for abnormal remote authentication requests via SMB
To protect against domain controller credential theft, security teams should implement a multi-layered approach:
Audit directory services (event logs related to NTDS.dit access).
Monitor Volume Shadow Copy (VSS) service events for unauthorized activity.
Track admin logins (Event ID 4624) from unusual sources.
Limit NTDSutil.exe and DiskShadow.exe access to administrators only.
Implement group policies to disable unnecessary tools.
Detect unexpected SMB traffic involving DCs.
Identify anomalous authentication requests from non-standard locations.
Enforce multi-factor authentication (MFA) for domain admins.
Limit the number of privileged accounts that can interact with NTDS.dit.
Domain controller credential harvesting remains a highly effective attack technique used by APT groups like APT-28 and Hafnium. By understanding NTDSutil.exe abuse, VSS exploitation, and remote credential dumping, security teams can proactively detect and prevent unauthorized access.
The key takeaway is visibility—by combining host-based and network-based monitoring, defenders can identify suspicious activities early and prevent large-scale breaches.
MITRE ATT&CK Tactics: https://attack.mitre.org
Microsoft Security Documentation: https://docs.microsoft.com/en-us/security
Impacket Toolkit: https://github.com/fortra/impacket
Our products are designed to work with
you and keep your network protected.
Insane Cyber © All Rights Reserved 2025
