Scenario

Forela’s Domain environment is pure chaos. Just got another alert from the Domain controller of NTDS.dit database being exfiltrated. Just one day prior you responded to an alert on the same domain controller where an attacker dumped NTDS.dit via vssadmin utility. However, you managed to delete the dumped files kick the attacker out of the DC, and restore a clean snapshot. Now they again managed to access DC with a domain admin account with their persistent access in the environment. This time they are abusing ntdsutil to dump the database. Help Forela in these chaotic times!!

Task 1 – When utilizing ntdsutil.exe to dump NTDS on disk, it simultaneously employs the Microsoft Shadow Copy Service. What is the most recent timestamp at which this service entered the running state, signifying the possible initiation of the NTDS dumping process?

• In SYSTEM Event IDs, we can filter on 7036. We find the Volume Shadow Copy service entered the running state. We just need to convert time to UTC:

Scenario

Forela’s Domain environment is pure chaos. Just got another alert from the Domain controller of NTDS.dit database being exfiltrated. Just one day prior you responded to an alert on the same domain controller where an attacker dumped NTDS.dit via vssadmin utility. However, you managed to delete the dumped files kick the attacker out of the DC, and restore a clean snapshot. Now they again managed to access DC with a domain admin account with their persistent access in the environment. This time they are abusing ntdsutil to dump the database. Help Forela in these chaotic times!!

Task 1 – When utilizing ntdsutil.exe to dump NTDS on disk, it simultaneously employs the Microsoft Shadow Copy Service. What is the most recent timestamp at which this service entered the running state, signifying the possible initiation of the NTDS dumping process?

• In SYSTEM Event IDs, we can filter on 7036. We find the Volume Shadow Copy service entered the running state. We just need to convert time to UTC:

Task 2 – Identify the full path of the dumped NTDS file.

• In APPLICATION Events, we find an Event 327 from ESENT (Extensible Storage Engine) showing the ntds.dit path:

Task 3 – When was the database dump created on the disk?

• in APPLICATION Events, we find Event 325 from ESENT informing that the database engine created a new database:

Task 4 – When was the newly dumped database considered complete and ready for use?

• Using the same log found in Task 2, we convert the time to UTC:

Task 5 – Event logs use event sources to track events coming from different sources. Which event source provides database status data like creation and detachment?

• Using the same log found in Task 2, the event source used is ESENT

Task 6 – When ntdsutil.exe is used to dump the database, it enumerates certain user groups to validate the privileges of the account being used. Which two groups are enumerated by the ntdsutil.exe process? Give the groups in alphabetical order joined by comma space.

• In SECURITY Events, we have Event ID generated meaning a security-enabled local group membership was enumerated. The Event ID is generated for Administrators and Backup Operators:

Task 7 – Now you are tasked to find the Login Time for the malicious Session. Using the Logon ID, find the Time when the user logon session started.

• In SECURITY Events, we have:
  • Event ID 4768: A kerberos authentication ticket (TGT) was requested for the user Administrator, followed by
  • Event ID 4769: A kerberos service ticket was requested, followed by
  • Event ID 5379: Credential Manager credentials were read at 2024-05-15 05:36:31 (UTC)