Forela's Domain environment is pure chaos. Just got another alert from the Domain controller of NTDS.dit database being exfiltrated. Just one day prior you responded to an alert on the same domain controller where an attacker dumped NTDS.dit via vssadmin utility. However, you managed to delete the dumped files kick the attacker out of the DC, and restore a clean snapshot. Now they again managed to access DC with a domain admin account with their persistent access in the environment. This time they are abusing ntdsutil to dump the database. Help Forela in these chaotic times!!
https://app.hackthebox.com/sherlocks/750
NTDS.dit is the Active Directory database, stored by default at C:\\Windows\\NTDS\\NTDS.dit on a domain controller. It contains all AD objects, including password hashes and Kerberos keys, making it a prime target for attackers. Accessing it requires administrative rights. Since it’s locked while AD DS is running, attackers often create a Volume Shadow Copy using tools like vssadmin, diskshadow, or ntdsutil to copy the file along with the SYSTEM registry hive, which holds the decryption keys. With these, they can extract password hashes using tools such as Mimikatz, secretsdump.py, or ntdsxtract. These hashes can then be cracked, used in pass-the-hash attacks, or leveraged to forge Golden Tickets by extracting the krbtgt account hash, granting long-term access. Monitoring for suspicious use of these tools, unusual file access to NTDS.dit or SYSTEM, and related event IDs can help detect such activity.
Monitor for Event ID 325 (Security Account Manager (SAM) Initialization) and 327 (SAM Shutdown) and the event source “ESENT” in application logs. We will also look for event ID 7036 ( Service State Change) in the system log to correlate with our application logs findings. For our final stop, we will look for event ID 4799 (security-enabled local group membership enumeration was performed) in the Security logs.
We are provided with 3 event log files / APPLICATION, SECURITY and SYSTEM
We filter with event code 7083 in System event log ( It’s logged when a Windows service changes its state (e.g., running, stopped, paused) )
use find to search for “volume shadow copy” we got 4 events “Shadow Copy service entered running state” we get the time of the most recent one