Hunting for APT28/Hafnium NTDS.dit Domain Controller Credential Harvesting [MITRE ATT&CK T1003.003]

Unmasking APT28: How Credential Harvesting from NTDS.dit Fuels Domain Compromise

In the shadowy world of cyber espionage, few trophies are as coveted as the contents of an Active Directory domain controller. For sophisticated threat actors like APT28, gaining access to the ntds.dit file is a critical step in widespread credential harvesting. This database is the heart of a Windows domain, and compromising it can unravel an organization’s entire security posture.

The NTDS.dit File: A Goldmine for Credential Harvesting

Deep within the Active Directory framework lies the ntds.dit file. Think of it as the master ledger for the domain. It doesn’t just store usernames; it contains the password hashes for every single user. For groups like APT28, known for their persistent and targeted attacks, acquiring these hashes through credential harvesting is akin to finding a master key.

Once attackers get their hands on ntds.dit, they can employ various methods, such as pass-the-hash attacks or offline password cracking, to impersonate users, including those with the highest levels of administrative privilege. However, this treasure trove isn’t just lying around; it’s locked down, requiring specific techniques to pry it open.

The SYSTEM file plays a crucial companion role in this heist. This registry hive contains the Boot Key, which is essential for decrypting the password hashes stored within ntds.dit. Without the Boot Key, the ntds.dit file, while valuable, doesn’t immediately yield its most sensitive secrets. This is why attackers involved in credential harvesting almost always aim to exfiltrate both the ntds.dit and SYSTEM files.

APT28’s Toolkit: Techniques for Snatching NTDS.dit

Attackers, including groups like APT28, have a few well-honed methods for extracting the ntds.dit file to fuel their credential harvesting campaigns.

One common approach involves “living off the land” by abusing legitimate Windows tools. NTDSutil.exe, a command-line utility designed for Active Directory database maintenance, can be turned against its intended purpose.

An attacker with sufficient privileges on a domain controller can use NTDSutil.exe to create a backup of the Active Directory data, which conveniently packages the ntds.dit file along with necessary registry hives like SYSTEM and SECURITY. Once this backup is created, tools such as Impacket’s secretsdump.py can be used to extract the password hashes.

Another favored technique leverages the Windows Volume Shadow Copy Service (VSS). VSS creates snapshots of disk volumes, allowing backups to occur without interrupting system operations. Adversaries exploit this by instructing VSS, often via the VSSAdmin utility or DiskShadow.exe, to create a shadow copy of the drive where ntds.dit resides. They can then simply copy ntds.dit and the SYSTEM file from this snapshot.

This method is stealthy because it can avoid direct interaction with the locked live ntds.dit file and may not trigger traditional file access alerts. For instance, an attacker might use DiskShadow.exe with a script to create and mount a shadow copy, from which they can exfiltrate the target files. PowerShell-based tools like PowerSploit’s NinjaCopy offer an even stealthier approach by reading files directly from the NTFS volume at a raw disk level, bypassing standard file access restrictions and making the credential harvesting attempt harder to detect.

When an attacker, perhaps an operative from a group like APT28, has already managed to compromise Domain Admin credentials, they can perform remote credential harvesting using a DCSync attack.

This technique abuses the Directory Replication Service (DRS) Remote Protocol, essentially tricking the domain controller into replicating its data, including password hashes, as if the attacker’s machine were another domain controller. Tools like Impacket’s secretsdump.py can execute this attack with a command as straightforward as secretsdump.py -just-dc DOMAIN/Administrator@DC_IP, yielding NTLM password hashes for all domain users without needing to directly access the domain controller’s file system.

Detecting and Defending Against NTDS.dit Credential Harvesting

Detecting these sophisticated credential harvesting attempts requires a keen eye on system activities. Security teams should monitor for the unauthorized use of NTDSutil.exe, perhaps by scrutinizing PowerShell logs for its execution or looking for Directory Service event ID 1917, which indicates an ntds.dit backup.

Suspicious activity involving the Volume Shadow Copy service, such as unexpected VSS service starts (System Event ID 7036) or abnormal VSSAdmin invocations, particularly on domain controllers, can also signal an attack. For DCSync attacks, monitoring network traffic for unusual replication requests and scrutinizing Security Event ID 4624 for anomalous Domain Admin logins from unexpected sources are key.

Protecting ntds.dit and thwarting credential harvesting efforts by groups such as APT28 demands a robust, multi-layered defense. Start by enabling advanced logging and meticulous monitoring of directory services and VSS events. Consider deploying solutions that can alert on, or even block, attempts to retrieve files from volume shadow copies.

Restricting access to potent tools like NTDSutil.exe and DiskShadow.exe to only essential administrative personnel is crucial. Employ network-based anomaly detection to spot unusual SMB traffic involving domain controllers or strange authentication patterns. Implementing strong account controls, such as multi-factor authentication (MFA) for all administrative accounts, and severely limiting the number of privileged accounts that can interact with domain controllers or their backups, significantly raises the bar for attackers.

Furthermore, diligently manage and monitor memberships of privileged groups like Domain Admins, Server Operators, Print Operators, and Account Operators. These groups are prime targets for APT28 and other attackers seeking to escalate privileges for credential harvesting. Regularly audit these groups, recertify memberships, and ensure that only the absolute minimum necessary personnel retain such powerful access. This practice drastically shrinks the attack surface.

The theft of ntds.dit is a cornerstone of many advanced credential harvesting campaigns, providing attackers like APT28 with the keys to the kingdom. By understanding the attack vectors and implementing vigilant detection and defense strategies, organizations can significantly improve their resilience against these pervasive threats. Visibility into host and network activities is paramount to identifying suspicious behavior early and preventing a localized compromise from escalating into a full-blown domain breach.

Further Reading & Resources:

See how Insane Cyber transforms security

Our products are designed to work with
you and keep your network protected.