Scenario

Forela’s domain controller is under attack. The Domain Administrator account is believed to be compromised, and it is suspected that the threat actor dumped the NTDS.dit database on the DC. We just received an alert of vssadmin being used on the DC, since this is not part of the routine schedule we have good reason to believe that the attacker abused this LOLBIN utility to get the Domain environment’s crown jewel. Perform some analysis on provided artifacts for a quick triage and if possible kick the attacker as early as possible.

Task 1 – Attackers can abuse the vssadmin utility to create volume shadow snapshots and then extract sensitive files like NTDS.dit to bypass security mechanisms. Identify the time when the Volume Shadow Copy service entered a running state.

• In SYSTEM logs, we have Event ID 7036 informing that the volume shadow copy service entered the running state:

Scenario

Forela’s domain controller is under attack. The Domain Administrator account is believed to be compromised, and it is suspected that the threat actor dumped the NTDS.dit database on the DC. We just received an alert of vssadmin being used on the DC, since this is not part of the routine schedule we have good reason to believe that the attacker abused this LOLBIN utility to get the Domain environment’s crown jewel. Perform some analysis on provided artifacts for a quick triage and if possible kick the attacker as early as possible.

Task 1 – Attackers can abuse the vssadmin utility to create volume shadow snapshots and then extract sensitive files like NTDS.dit to bypass security mechanisms. Identify the time when the Volume Shadow Copy service entered a running state.

• In SYSTEM logs, we have Event ID 7036 informing that the volume shadow copy service entered the running state:

Task 2 – When a volume shadow snapshot is created, the Volume shadow copy service validates the privileges using the Machine account and enumerates User groups. Find the two user groups the volume shadow copy process queries and the machine account that did it.

• In Security Events, filtering on Event ID 4799 A security-enabled local group membership was enumerated, we find multiple events for multiple process that enumerated.
• Concentrating on VSSVC.exe, we find it enumerated DC01$ from Administrators and Backup Operators:

Task 3 – Identify the Process ID (in Decimal) of the volume shadow copy service process.

• In security logs, we find the process name VSSVC.exe and its Process ID 0x1190:

• Converting the value from hexadecimal to decimal, we get 4496

Task 4 – Find the assigned Volume ID/GUID value to the Shadow copy snapshot when it was mounted.

• Using Microsoft-Windows-NTFS events, we find Event IDs 300 NTFS volume dismount has started where the device name is Device\HarddiskVolumeShadowCopy1 and the correlation ID is {06c4a997-cca8-11ed-a90f-000c295644f9}

Task 5 – Identify the full path of the dumped NTDS database on disk.

• I dumped the provided MFT Table using MFTExplorer.exe using the following command

.\\MFTECmd.exe -f '..\\..\\..\\$MFT' --csv .

• I then searched for ntds.dit in the csv file and found the path to be:

C:\\Users\\Administrator\\Documents\\backup_sync_dc\\ntds.dit

Task 6 – When was newly dumped ntds.dit created on disk?

• We can find the date in the MFT table ($MFT)

Task 7 – A registry hive was also dumped alongside the NTDS database. Which registry hive was dumped and what is its file size in bytes?

When dumping ntds.dit (Active Directory database), you need the SYSTEM hive because it contains:

• The Boot Key (SysKey)
• Registry keys used to decrypt AD password hashes

Without the SYSTEM hive, you cannot decrypt the password hashes from ntds.dit.

• In the folder found before backup_sync_dc, we find the SYSTEM registry key with a file size of 17563648