In this article:  

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

Objective  

This article explains how to use ADAudit Plus to detect a potential Password Extraction attack, specifically the unauthorized access of the ntds.dit file, understand the immediate and severe remediation steps, and implement long-term prevention strategies.

Prerequisites  

• You must have administrator access to the ADAudit Plus web console.

• The necessary audit policy to generate Event ID 4663 (An attempt was made to access an object) must be enabled on all Domain Controllers.

• Object-level auditing (SACL) must be configured on the C:\Windows\NTDS\ntds.dit file itself on all Domain Controllers to audit for "Read" access attempts.

Steps to follow  

The process for handling a Password Extraction attack involves detection, immediate and decisive remediation, and prevention.

Part 1: Detecting the attack  

1. Navigate to the Active Directory Tab > Attack Surface Analyzer > Threats > Password Extraction.

2. Review this report for any detected access events to the ntds.dit file.

Part 2: Understanding the detection criteria  

ADAudit Plus detects a potential password extraction attack based on the following pattern:

• Description: The ntds.dit file was accessed. This file is the core Active Directory database that stores all domain information, including the password hashes for all user accounts. Unauthorized access to this file is a catastrophic security breach.

• Detection Logic:

• Event Code equals 4663.

• Accesses contains ReadData.

• Object Name ends with Windows\NTDS\ntds.dit.

• Account name does not end with $.

Part 3: Immediate remediation  

Unauthorized access to the ntds.dit file indicates a full domain compromise. You must assume the attacker has the password hashes for every account in the domain.

1. Assume Full Domain Compromise: This is a critical first step. The attacker likely possesses the hashes for all user, computer, and service accounts, including the krbtgt account, allowing them to create "Golden Tickets".

2. Isolate the Source Machine: The event log will show the Account Name and the source machine from which the file was accessed. Isolate this machine from the network immediately.

3. Disable the Compromised Account: The user account (Account Name) that accessed the file has Domain Admin-level privileges. Disable the account immediately for investigation.

4. Initiate Full Domain Recovery: This is not a simple password reset. You must treat this as a disaster recovery scenario.

• Reset the krbtgt Account Password (Twice): This is the most critical step to invalidate any Kerberos "Golden Tickets". The password must be reset twice with a significant waiting period (at least a few hours) between resets.

• Reset All Privileged Account Passwords: Reset the passwords for all members of Domain Admins, Enterprise Admins, Schema Admins, and all high-privilege service accounts.

• Reset All User and Computer Passwords: Because the attacker has all hashes, a domain-wide password reset for all users and computers is required to fully secure the environment.

5. Investigate the Initial Compromise: A full forensic investigation is required to determine how the attacker gained the Domain Admin privileges needed to access the ntds.dit file.

Validation and confirmation  

• After remediation, the Password Extraction report in ADAudit Plus should show no new unauthorized access events.

• All privileged and user account passwords, including krbtgt, are confirmed to have been reset.

• The compromised machine has been rebuilt, and the attacker's initial access vector has been identified and closed.

Tips  

The following best practices are critical for preventing the compromise of the ntds.dit file.

Principle of Least Privilege (PoLP)  

• Strictly limit membership in privileged groups like Domain Admins and Enterprise Admins. Only a minimal number of trusted administrators should be in these groups.

Secure Domain Controllers  

• Treat Domain Controllers as Tier 0 assets, the most secure systems in your network. Restrict physical and remote access to only a small number of authorized Tier 0 administrators.

• Do not install any other software (e.g., web browsers, productivity tools) on Domain Controllers.

• Keep Domain Controllers fully patched and securely configured according to security best practices.

Implement a Tiered Access Model  

• Ensure that privileged Tier 0 accounts are never used to log in to lower-tier systems like member servers or workstations, where their credentials could be stolen.

Provide just-in-time (JIT) access

• Provide just-in-time (JIT) access for all administrative functions on Domain Controllers.

Related topics and articles  

• How to configure Attack Surface Analyzer in ADAudit Plus