Cybersecurity threats targeting Active Directory (AD) domain controllers have increased in complexity, with attackers leveraging various techniques to extract credentials. This article explores three primary attack methods used to harvest credentials from NTDS.dit, the core database containing domain user credentials. We also discuss detection strategies to help defenders recognize and mitigate these threats.
In a Windows Active Directory (AD) environment, NTDS.dit is a database file that stores:
Usernames and password hashes
Group memberships
Security policies
Since domain controllers (DCs) authenticate users across the network, compromising NTDS.dit provides attackers with domain-wide access. However, this file is not accessible by default, requiring specific techniques to extract its data.
Maintaining strict control over who can access domain controllers is a fundamental step in defending your systems from attacks targeting the Ntds.dit file. This file stores critical Active Directory information, including user authentication data, making it a high-value target for malicious actors. If compromised, it could lead to significant security issues.
Safeguards Sensitive Information
Granting access only to those who truly need it helps protect the file from unauthorized use or manipulation. This precaution greatly reduces the chance of sensitive data being leaked or altered.
Reduces Exposure to Threats
Restricting access to a limited group of trusted individuals—ideally just Domain Admins—helps minimize the number of potential entry points for attackers. It’s also advisable to limit access for roles like Server Operators, Account Operators, and Print Operators, who may not require elevated privileges.
Improves Oversight
When access is limited, it becomes easier to track user activity. This enhances your ability to detect unusual behavior quickly and respond before a situation escalates.
Promotes Accountability
A smaller pool of authorized users means you can more easily determine who accessed what and when, encouraging responsible use of administrative rights.
Apply Role-Based Access Controls
Make sure user permissions match their current job functions. Regularly review these permissions and remove unnecessary privileges.
Schedule Regular Access Reviews
Periodic audits of access logs and user rights can reveal inconsistencies or unauthorized changes. This helps maintain a robust and current security posture.
By enforcing these measures, you not only protect the Ntds.dit file from being exploited but also strengthen the overall security framework of your organization’s IT systems.
Once threat actors gain access to password hashes, they can leverage a variety of tools to either reuse or decode those hashes to compromise systems further. Below are some of the most well-known utilities used in both pass-the-hash (PtH) attacks and password cracking efforts.
Mimikatz
Mimikatz is a powerful and widely recognized tool in the cybersecurity world. Originally developed for research and learning purposes, it has since been adopted by attackers to perform PtH attacks. With Mimikatz, an attacker can authenticate to a system by presenting a password hash instead of the actual password, effectively bypassing traditional login requirements.
Hashcat
Hashcat is a high-performance password recovery tool known for its flexibility and speed. It supports a wide range of hashing algorithms and uses techniques such as brute-force and dictionary attacks to reverse password hashes into their original form. It can run on both CPUs and GPUs, making it a favorite for large-scale cracking tasks.
John the Ripper
Another long-standing tool in the security community, John the Ripper is designed to detect weak passwords. It combines multiple cracking methods, including dictionary-based, brute-force, and hybrid attacks, to uncover passwords from hash values.
NTDSutil.exe is a built-in Windows tool used for managing and backing up Active Directory databases. Attackers can abuse it to create a backup copy of NTDS.dit and extract password hashes.
Run the following command on the domain controller:
__________________________________________________________
ntdsutil “ac i ntds” “ifm” “create full C:\backup” q q
_________________________________________________________
The tool generates a backup containing NTDS.dit and registry hives (SYSTEM and SECURITY).
Attackers extract password hashes using tools like Impacket’s secretsdump.py.
Directory Service Event Logs:
Event ID 1917 → NTDS.dit backup created
Event IDs 700 & 701 → Defragmentation of the database
Look for unauthorized use of NTDSutil.exe in PowerShell logs
Understanding How VSSAdmin Can Be Misused to Access the Ntds.dit File
The VSSAdmin command-line utility, originally designed to help administrators manage Volume Shadow Copies, can unfortunately be exploited by attackers to gain access to protected files—most notably, the Ntds.dit file, which stores Active Directory data critical to system authentication and identity management.
Creating a Shadow Copy to Bypass File Locks
The Ntds.dit file is typically locked by the system during operation, making it inaccessible through conventional means. By creating a Volume Shadow Copy using VSSAdmin, a read-only snapshot of the drive is generated—this bypasses the lock and makes a copy of the file available.
Copying the Ntds.dit File from the Snapshot
With the shadow copy in place, the attacker can navigate to the replica of the file system and extract the Ntds.dit file. This file includes encrypted user credentials and directory data that can be weaponized for further access.
Retrieving the SYSTEM Hive for Decryption
To interpret the password data stored in the Ntds.dit file, access to the SYSTEM registry hive is also required. This file holds the boot key used in the encryption process and can be gathered from the system registry or an additional shadow copy.
Concealing the Breach
Once the attacker has collected the necessary files, efforts are often made to erase evidence. This may include deleting logs or tampering with traces of activity to avoid detection by administrators or security software.
The misuse of VSSAdmin illustrates how built-in administrative tools can become security risks if not properly managed. It’s critical for organizations to monitor the use of such tools, limit administrative privileges, and employ alerting systems to flag unusual behavior. Awareness of these techniques helps reinforce preventive measures and improves the overall resilience of IT infrastructure.
Windows Volume Shadow Copy Service (VSS) allows system backups without disrupting operations. Attackers abuse this feature to copy NTDS.dit from a shadow volume.
Run DiskShadow.exe to create a shadow copy:
_______________________________________________________
diskshadow /s shadow.txt
_______________________________________________________
(shadow.txt contains configuration commands to create and mount a shadow copy.)
Mount the shadow copy as a drive and extract NTDS.dit.
Use secretsdump.py to retrieve password hashes.
System Event Logs (Service Control Manager):
Event ID 7036 → Volume Shadow Copy service started
Monitor abnormal VSS usage, especially on domain controllers
If an attacker obtains Domain Admin credentials, they can remotely dump NTDS.dit hashes without accessing the domain controller directly. This technique leverages Microsoft’s Directory Replication Service (DRS) API.
Run the following command using Impacket’s secretsdump:
_______________________________________________________
secretsdump.py -just-dc DOMAIN/Administrator@DC_IP
_______________________________________________________
The tool extracts NTLM password hashes for all users on the domain.
Security Event Logs:
Event ID 4624 → Unusual Domain Admin logins
Look for abnormal remote authentication requests via SMB
Part of the PowerSploit framework, the NinjaCopy module is a specialized PowerShell tool designed for stealthy file extraction. Though originally intended for security testing, this tool can be exploited to access critical system files such as Ntds.dit, which stores key components of Active Directory, including user credential data.
Direct Disk Access
NinjaCopy reads data directly from NTFS-formatted volumes at the raw level, allowing it to sidestep file locks and access restrictions normally enforced by the operating system. This makes it possible to extract protected files that would otherwise be inaccessible.
Evading Detection
Because it operates below the typical file system level, NinjaCopy can avoid detection by endpoint security tools and system logs. This stealth functionality is particularly valuable for attackers attempting to move unnoticed within a system.
Exploiting NTFS Internals
The module takes advantage of how NTFS stores and retrieves file data. By interacting with the disk at a lower level than traditional tools, it can pull files directly without needing user-level permissions, effectively bypassing built-in access controls.
The ability to extract files like Ntds.dit without triggering alarms makes NinjaCopy a serious concern for enterprise environments. If misused, it gives attackers a pathway to steal encrypted credentials and other directory data while leaving minimal trace. Understanding these techniques reinforces the need for strong endpoint protection, disk-level monitoring, and limiting access to forensic tools within production environments.
To protect against domain controller credential theft, security teams should implement a multi-layered approach:
Audit directory services (event logs related to NTDS.dit access).
Monitor Volume Shadow Copy (VSS) service events for unauthorized activity.
Track admin logins (Event ID 4624) from unusual sources.
Limit NTDSutil.exe and DiskShadow.exe access to administrators only.
Implement group policies to disable unnecessary tools.
Detect unexpected SMB traffic involving DCs.
Identify anomalous authentication requests from non-standard locations.
Enforce multi-factor authentication (MFA) for domain admins.
Limit the number of privileged accounts that can interact with NTDS.dit.
The Ntds.dit file, a critical component of Active Directory containing user account and authentication data, is typically locked by the operating system, making it inaccessible through standard means. However, there are several ways to retrieve this file without interfering with system operations:
Windows includes a feature called Volume Shadow Copy Service (VSS), which allows users to create snapshots of system volumes. These snapshots include the Ntds.dit file in its current state. By utilizing tools like vssadmin, it’s possible to generate a backup of the system volume and extract the file from that snapshot—bypassing the system lock without disrupting active services.
PowerSploit, a collection of PowerShell-based penetration testing tools, includes modules that can access sensitive files under the right permissions. These scripts interact directly with system internals and, if misused, can be employed to pull the Ntds.dit file by leveraging administrative privileges or direct disk access methods.
Part of the standard toolkit for Active Directory administrators, NTDSUtil is a command-line utility that supports database maintenance and troubleshooting. It includes options to create safe copies of Ntds.dit, particularly useful during backup or recovery operations. With appropriate access, this tool can be used to export the file in a controlled and secure way.
In virtualized environments, a straightforward method is to capture a snapshot of the domain controller’s virtual machine. This snapshot includes all virtual disk data, allowing the Ntds.dit file to be extracted offline from the saved image, avoiding direct interaction with the live system.
Domain controller credential harvesting remains a highly effective attack technique used by APT groups like APT-28 and Hafnium. By understanding NTDSutil.exe abuse, VSS exploitation, and remote credential dumping, security teams can proactively detect and prevent unauthorized access.
The key takeaway is visibility—by combining host-based and network-based monitoring, defenders can identify suspicious activities early and prevent large-scale breaches.
MITRE ATT&CK Tactics: https://attack.mitre.org
Microsoft Security Documentation: https://docs.microsoft.com/en-us/security
Impacket Toolkit: https://github.com/fortra/impacket
Our products are designed to work with
you and keep your network protected.
Insane Cyber © All Rights Reserved 2025
