What happened
Security researchers observed threat actors actively exfiltrating the NTDS.dit file from compromised Windows domain controllers to escalate access and conduct further compromise. According to the report, the NTDS.dit file, which contains Active Directory user hashes, credentials, and group policy information, was being copied from domain controllers and sent to attacker-controlled infrastructure following initial access. By obtaining the NTDS.dit, operators can extract credential material offline and attempt lateral movement with elevated privileges across the network. The activity was linked to a multi-stage intrusion in which initial footholds were obtained through undisclosed vectors, followed by deployment of tools that located and exfiltrated the sensitive AD database file. Researchers noted that after NTDS.dit exfiltration, subsequent steps included credential harvesting and use of the extracted credential material to extend the attack footprint within the environment.
Who is affected
Organizations with Windows Active Directory domain controllers that have been compromised are directly affected because the exfiltrated NTDS.dit file can be used by attackers to derive credentials and escalate privileges throughout the domain.
Why CISOs should care
The exfiltration of raw Active Directory credential stores highlights significant risk to identity and access management, as attackers with access to NTDS.dit can derive valid credentials and move laterally, undermining trust boundaries and escalating into full domain compromise.
3 practical actions
- Audit domain controller access. Review logs and security controls for unauthorized access to domain controller files and credential stores.
- Restrict admin privileges. Limit the number of accounts with rights to read AD database files.
- Monitor sensitive file exfiltration. Employ network detection to flag large outbound transfers of directory or credential store files.