H3-2021-0046
Credential Dumping - Active Directory Services Database (NTDS)
Category | SECURITY_CONTROLS |
Base Score | 7.2 |
Description
The NTDS.dit file on a Windows domain controller contains the credentials of all domain users. There are a variety of methods to retrieve the contents of this file, such as using the ntdsutil tool, Volume Shadow Copy, and Impacket secretsdump.py. The DCSync method can also be used to achieve the same outcome by replicating the directory services database to a simulated remote domain controller. In most cases, access to a privileged account such as Domain Administrator is needed to perform these actions.
Impact
An attacker who is able to dump all domain credentials can access any resource in the Active Directory environment, masquerade as any user or service, and establish long-term persistence.