When AD Gets Breached: Detecting NTDS.dit Dumps and Exfiltration with Trellix NDR

When AD Gets Breached: Detecting NTDS.dit Dumps and Exfiltration with Trellix NDR By Maulik Maheta · September 25, 2025 Executive summary Active Directory AD stores the digital keys to an organization's kingdom. When attackers gain access to a network, they often target the NTDS.dit file, which...

Detecting and Visualizing Lateral Movement Attacks with Trellix XDR - Part 2

Detecting and Visualizing Lateral Movement Attacks with Trellix Helix Connect - Part 2 By Maulik Maheta · May 21, 2023 This blog was also written by Chintan Shah Executive summary In the part 1 of this series we discussed in depth about the known Lateral movement attacks like abusing weak service...

CISA, FBI: State-Backed APTs Are Exploiting Critical Zoho Bug

The FBI, CISA and the U.S. Coast Guard Cyber Command CGCYBER warned today that state-backed advanced persistent threat APT actors are likely among those who’ve been actively exploiting a newly identified bug in a Zoho single sign-on and password management tool since early last month. At issue is...

This One Time on a Pen Test: I Know...Everything

Each year, Rapid7 penetration testers complete hundreds of internally and externally based penetration testing service engagements. This post is part of an ongoing series featuring testimonials of what goes on beneath the hoodie. For more insights, check out our 2020 Under the Hoodie report. It...

Windows Secrets Dump

Dumps SAM hashes and LSA secrets including cached creds from the remote Windows target without executing any agent locally. This is done by remotely updating the registry key security descriptor, taking advantage of the WriteDACL privileges held by local administrators to set temporary read...

Exploit for CVE-2020-1472

CVE-2020-1472 - Zero-Logon POC !alt texthttps://github.com...

Adaudit - Powershell Script To Do Domain Auditing Automation

PowerShell Script to perform a quick AD audit | | \ | | | || | | | | | | | | | . | | | |||/ ||||||| by phillips321 If you have any decent powershell one liners that could be used in the script please let me know. I'm trying to keep this script as a single file with no requirements on external too...

NebulousAD - Automated Credential Auditing Tool

NebulousAD Automated Credential Auditing Tool. Installation Simply download the precompiled release requires no python interpreter, or build from source: Requires Python2.7 for now Run git clone [email protected]:NuID/nebulousAD.git Next, install with python setup.py install Then initialize...

Exploit for CVE-2019-1040

CVE-2019-1040 Great writeup! Exploiting CVE-2019-1040 - Comb...

Dumping Domain Password Hashes

It is very common during penetration tests where domain administrator access has been achieved to extract the password hashes of all the domain users for offline cracking and analysis. These hashes are stored in a database file in the domain controller NTDS.DIT with some additional information li...

Post Windows Gather NTDS.DIT Location

This module will find the location of the NTDS.DIT file from the Registry, check that it exists, and display its location on the screen, which is useful if you wish to manually acquire the file using ntdsutil or vss. This module requires Metasploit: https://metasploit.com/download Current source:...

Windows Domain Controller Hashdump

This module attempts to copy the NTDS.dit database from a live Domain Controller and then parse out all of the User Accounts. It saves all of the captured password hashes, including historical ones. This module requires Metasploit: https://metasploit.com/download Current source:...

Windows File Gather File from Raw NTFS

This module gathers a file using the raw NTFS device, bypassing some Windows restrictions such as open file with write lock. Because it avoids the usual file locking issues, it can be used to retrieve files such as NTDS.dit. This module requires Metasploit: https://metasploit.com/download Current...

[Quarks PwDump] Dump Windows Credentials

Quarks PwDump is new open source tool to dump various types of Windows credentials: local account, domain accounts, cached domain credentials and bitlocker. The tool is currently dedicated to work live on operating systems limiting the risk of undermining their integrity or stability. It requires...

PsExec NTDS.dit And SYSTEM Hive Download Utility

This module authenticates to an Active Directory Domain Controller and creates a volume shadow copy of the %SYSTEMDRIVE%. It then pulls down copies of the ntds.dit file as well as the SYSTEM hive and stores them. The ntds.dit and SYSTEM hive copy can be used in combination with other tools for...