Operation Shadow Harvest: Forensic Analysis of a Domain Controller Compromise via NTDS.dit Exfiltration

A Technical Case Study in Active Directory Attack Detection Through Event Log Correlation and Timeline Analysis

Initial Compromise: At 02:14 AM on a Tuesday, a threat actor gains initial access to the network through a compromised VPN credential belonging to a help desk technician. The VPN log shows a successful connection from an IP address that's never been seen before, originating from a different country than where the employee is based.

Reconnaissance and Lateral Movement: Between 02:20 AM and 02:45 AM, the attacker uses the compromised help desk account to perform network enumeration. They run ADFind commands to map out the Active Directory structure, identifying domain controllers and high-privilege accounts. The Windows Security Event logs show multiple queries to Active Directory, generating Event ID 4662 (An operation was performed on an object).

Privilege Escalation: At 02:52 AM, the attacker identifies that the help desk technician's account has local administrator rights on several workstations due to their support role. They locate a workstation where a Domain Admin has an active session. Using Mimikatz, they extract the Domain Admin's credentials from memory. Windows Security Event ID 4688 shows the creation of suspicious processes, and Sysmon Event ID 10 captures process access to lsass.exe.

Domain Controller Access: At 03:07 AM, using the stolen Domain Admin credentials, the attacker establishes a remote PowerShell session to DC01, the primary domain controller. The Windows PowerShell logs record the establishment of the PSSession, and Windows Security Event ID 4624 shows the successful logon with a Domain Admin account outside normal hours.

The NTDS.dit Attack Sequence: 03:12 AM - The attacker creates a shadow copy of the system drive using PowerShell:

powershell

Copy

vssadmin create shadow /for=C:

Windows Security Event ID 4688 records this process creation.

03:14 AM - In the Application logs, we see ESENT Event ID 216 indicating a database location change, followed by Event ID 327 showing database detachment. These events correlate with the attacker's attempt to access the shadow copy.

03:15 AM - The attacker copies the ntds.dit file from the shadow copy:

powershell

Copy

Copy-Item "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit" "C:\Windows\Temp\backup.dit"

03:16 AM - ESENT Event ID 326 appears as the database is reattached, and Event ID 325 indicates the creation of a new database instance.

03:18 AM - The attacker begins compressing the stolen ntds.dit file using a PowerShell compression cmdlet:

powershell

Copy

Compress-Archive -Path "C:\Windows\Temp\backup.dit" -DestinationPath "C:\Windows\Temp\archive.zip"

Exfiltration: 03:22 AM - Network security monitoring detects a large outbound file transfer to an IP address associated with a known file sharing service. The compressed ntds.dit file is being exfiltrated.

Detection and Response: 03:25 AM - The SIEM alerts the SOC team based on several correlation rules:

• Unusual VPN login location and time

• Multiple ESENT database events in quick succession

• Creation of shadow copies outside maintenance window

• Large outbound file transfer to suspicious destination

The SOC team initiates their incident response plan:

1. They immediately isolate DC01 from the network

2. Begin capturing memory dumps and system images for forensic analysis

3. Launch their privileged account password reset procedures

4. Start tracking the attacker's lateral movement path through log analysis

Recovery Actions: The security team:

1. Forces a reset of all domain user passwords

2. Revokes and reissues all Kerberos tickets

3. Reviews and corrects excessive permissions

4. Implements stricter VPN access controls

5. Deploys additional monitoring for NTDS.dit access attempts

The key to detecting this attack was the correlation of multiple events that, while potentially innocent individually, painted a clear picture of malicious activity when viewed together. The ESENT events you mentioned were particularly crucial as they provided clear evidence of database manipulation that wouldn't occur during normal operations.

Windows Security Event Log Analysis: When investigating the incident, we focus first on authentication patterns. A key event sequence from the Security logs might look like this:

Copy

4624: Successful Logon Time: 02:14:23 AM Account: helpdesk_john Logon Type: 10 (Remote Interactive) Source IP: 185.123.xxx.xxx Process Name: C:\Windows\System32\winlogon.exe 4662: Operation Performed on AD Object Time: 02:22:15 AM Account: helpdesk_john Object: CN=Domain Admins,CN=Users,DC=company,DC=local Access Mask: 0x40 (Read) 4688: Process Creation Time: 02:52:37 AM Process: C:\Windows\System32\cmd.exe CommandLine: cmd.exe /c whoami /priv Account: helpdesk_john

The investigation continues through PowerShell Operational logs (Microsoft-Windows-PowerShell/Operational):

Copy

4103: Module Logging Time: 03:07:12 AM HostApplication: powershell.exe -nop -w hidden ScriptBlockText: $sess = New-PSSession -ComputerName DC01 Account: domain_admin_alice 4104: Script Block Logging Time: 03:12:45 AM ScriptBlock: { $shadow = (gwmi -list win32_shadowcopy).Create("C:\","ClientAccessible") $shadow.DeviceObject + "\Windows\NTDS\ntds.dit" }

ESENT Database Operational Logs show the critical database manipulation:

Copy

Event ID 216 Time: 03:14:02 AM Description: Database location change detected Database: C:\Windows\NTDS\ntds.dit Previous Location: [Original Path] New Location: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ Event ID 327 Time: 03:14:05 AM Description: Database engine detached database Database: C:\Windows\NTDS\ntds.dit Error: 0 (Success)

Sysmon logs (if deployed) provide additional context:

Copy

Event ID 1: Process Creation Time: 03:15:22 AM Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe CommandLine: Copy-Item "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit" ParentImage: C:\Windows\System32\cmd.exe Event ID 11: File Created Time: 03:15:23 AM TargetFilename: C:\Windows\Temp\backup.dit Image: powershell.exe

Network Connection Logs:

Copy

Event ID 3: Network Connection Time: 03:22:15 AM Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe DestinationIp: 91.224.xxx.xxx DestinationPort: 443 Protocol: tcp Size: 247MB

To analyze these logs effectively, we create a timeline correlation using multiple data sources:

1. Authentication Timeline Analysis:

   • Map all logon events (4624) against known patterns

   • Identify geographical impossibilities (same account logging in from different locations)

   • Track privilege escalation through account switching

2. Command Execution Analysis:

   • Create a process tree showing parent-child relationships

   • Map PowerShell commands to known attack patterns

   • Identify encoded or obfuscated commands

3. Database Operation Sequence:

   • Track all ESENT database events chronologically

   • Identify abnormal sequences of attach/detach operations

   • Map database location changes against shadow copy creation

4. Data Movement Analysis:

   • Track file creation and modification events

   • Monitor network connections and data transfer volumes

   • Identify unusual outbound connections

Using PowerShell, we might create a quick correlation script:

powershell

Copy

# Example log correlation script $securityLogs = Get-WinEvent -LogName Security -FilterXPath "*[System[TimeCreated[@SystemTime>='2024-01-15T02:00:00Z' and @SystemTime<='2024-01-15T04:00:00Z']]" $powerShellLogs = Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -FilterXPath "*[System[TimeCreated[@SystemTime>='2024-01-15T02:00:00Z']]]" $esentLogs = Get-WinEvent -LogName "Application" -FilterXPath "*[System[Provider[@Name='ESENT']]]" # Create timeline of relevant events $timeline = @() $timeline += $securityLogs | Where-Object {$_.Id -in @(4624,4662,4688)} $timeline += $powerShellLogs | Where-Object {$_.Id -in @(4103,4104)} $timeline += $esentLogs | Where-Object {$_.Id -in @(216,326,327,325)} # Sort and analyze timeline $timeline | Sort-Object TimeCreated | ForEach-Object { # Analysis logic here }

Key Analysis Patterns to Look For:

1. Temporal Anomalies:

   • Events occurring outside business hours

   • Unusually rapid sequences of operations

   • Compression and data movement during quiet hours

2. Behavioral Anomalies:

   • First-time execution of administrative tools

   • Unusual PowerShell command patterns

   • Abnormal database operation sequences

3. Access Pattern Anomalies:

   • Privilege escalation sequences

   • Account switching patterns

   • Unusual remote access patterns