I was speaking with an Active Directory Security Engineer from a large, global pharmaceutical company recently and asked him the most classic question in the Product Management handbook: “What keeps you up at night?” So cliché (I know), but sometimes instead of an eye roll, you get a real gem, which is exactly what happened.
He said, “We’ve got a lot of good protections in place and run a pretty tight ship, but the worst thing that I think could happen is someone stealing our ‘dit’ file.” I’d heard about this before. If an attacker can get a copy of the Domain Controller’s NTDS.dit file (essentially the Active Directory database), they could take it offline, crack every user’s password, and log in using valid user credentials without anyone being the wiser. But how could an attacker actually steal this file? It’s locked because it’s always in use! You’d have to take the Domain Controller down, which someone would obviously notice. The questions started to pile up…
Long story short, the conversation got me going down a very interesting path. The more I learned about and researched the .dit mystery, the more I came across other clever and crafty ways attackers are cracking and compromising AD. It makes sense too. Active Directory is a prime target in virtually any attack, and attackers know just how crucial it is in their quest to find and steal what they’re looking for.
Over the next four weeks, I’m not only going to detail four (4) Active Directory attacks you need to know about, but I’m going to explain how they work, the techniques and tools real attackers use to perpetrate these attacks, and what you can do about them. Here’s the lineup:
- AD Attack #1 – LDAP Reconnaissance (PowerSploit and PowerShell) Read Now
- AD Attack #2 – Local Admin Mapping (Bloodhound) Read Now
- AD Attack #3 – NTDS.dit Extraction (VSSAdmin, PowerSploit, and Hashcat) Read Now
- AD Attack #4 – Stealing Passwords from Memory (Mimikatz) Read Now
To watch the AD Attacks webinar, please click here.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jeff Warren is STEALTHbits’ General Manager, Products. Jeff has held multiple roles within the Product Management group since joining the organization in 2010, initially building STEALTHbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining STEALTHbits, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development.
With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering STEALTHbits’ high quality, innovative solutions.
Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.