Decrypting the Directory: A Journey into a static analysis of the Active Directory NTDS to identify misconfigurations and vulnerabilities

In our presentation, we will explore an alternative approach to conduct an Active Directory audit through a static analysis of the NTDS database. We’ll dive into the types of significant insights that can be uncovered within the NTDS and demonstrate how to interpret these findings to effectively carry out a security audit.

Identifying vulnerabilities in Active Directory (AD) environments before the bad guys do is a hot topic in the industry. To do so, an arsenal of tools exists to conduct AD audits (Sharp/BloodHound, PingCastle, etc.). Most of the existing tools relies on a dynamic approach where LDAP requests are used to collect data from the Domain Controllers. An analysis of the collected data is then performed to identify weaknesses. While this process is very efficient, it can be noisy and raise “false positive” alerts for the SOC teams, and fails to answer a major question: do the AD accounts use a robust password? Fortunately, these issues can be tackled by adopting a complementary approach to audit AD environments: the static analysis of the NTDS database. Analyzing the ntds.dit database can help identifying AD-related vulnerabitlies and misconfigurations ranging from weak passwords, delegation issues, to dangerous ACL and many more.