Forela's domain controller is under attack. The Domain Administrator account is believed to be compromised, and it is suspected that the threat actor dumped the NTDS.dit database on the DC. We just received an alert of vssadmin being used on the DC, since this is not part of the routine schedule we have good reason to believe that the attacker abused this LOLBIN utility to get the Domain environment's crown jewel. Perform some analysis on provided artifacts for a quick triage and if possible kick the attacker as early as possible.
https://app.hackthebox.com/sherlocks/CrownJewel-1
https://www.hackthebox.com/blog/ntds-dumping-attack-detection
NTDS.dit is the Active Directory database, stored by default at C:\\Windows\\NTDS\\NTDS.dit on a domain controller. It contains all AD objects, including password hashes and Kerberos keys, making it a prime target for attackers. Accessing it requires administrative rights. Since it’s locked while AD DS is running, attackers often create a Volume Shadow Copy using tools like vssadmin, diskshadow, or ntdsutil to copy the file along with the SYSTEM registry hive, which holds the decryption keys. With these, they can extract password hashes using tools such as Mimikatz, secretsdump.py, or ntdsxtract. These hashes can then be cracked, used in pass-the-hash attacks, or leveraged to forge Golden Tickets by extracting the krbtgt account hash, granting long-term access. Monitoring for suspicious use of these tools, unusual file access to NTDS.dit or SYSTEM, and related event IDs can help detect such activity.
You are given Event Logs and an MFT file
What is the MFT?
The Master File Table (MFT) is a system file in the NTFS file system (named $MFT) that stores metadata about all files and directories on an NTFS volume. It acts as an index, providing quick access to information needed to locate and retrieve files.
Each file and directory on an NTFS volume has a unique record in the MFT, known as an MFT entry. An MFT entry contains details such as the file name, timestamps, permissions, and a pointer to the file’s data. Whenever a file is created or modified, its corresponding MFT entry is updated.
I will use Splunk to analyze the Event Logs and MFTECmd from Eric Zimmerman's EZ Tools, along with Timeline Explorer, to examine the MFT data.
