Security experts are observing a significant increase in cyberattacks aimed at exfiltrating the NTDS.dit file. This critical database holds encrypted password hashes for all accounts within a Windows Active Directory environment. Successful theft of this file grants attackers the ability to perform offline password cracking, potentially leading to the complete compromise of enterprise networks and domain infrastructures.
These attacks typically commence with attackers achieving administrative access to a domain controller. Once inside, they exploit legitimate Windows utilities, such as vssadmin, to create Volume Shadow Copies. This technique bypasses standard file-locking mechanisms that usually