SafeLine is a self-hosted WAF(Web Application Firewall) / reverse proxy to protect your web apps from attacks and exploits. - chaitin/SafeLine

Active Directory (AD) remains the foundation of authentication and authorization in Windows environments. Threat actors targeting the NTDS.dit database can harvest every domain credential, unlock lateral movement, and achieve full domain compromise.  Attackers leveraged native Windows utilities to dump and exfiltrate NTDS.dit, bypassing standard defenses.  The adversary in this case obtained DOMAIN ADMIN privileges via a successful phishing campaign and subsequent privilege escalation . Once elevated, they executed: To create a Volume Shadow Copy and extract NTDS.dit, silently bypassing file locks. With the SYSTEM hive obtained, attackers decrypted the database offline using secretsdump.py from Impacket: This chain enabled harvesting of NTLM and AES hashes for all domain accounts without triggering traditional endpoint alarms. Full Kill Chain After archiving and compressing the dump with tar -czf ntds.tar.gz c:\temp\ntds.dit c:\temp\SYSTEM, the attackers exfiltrated data over SMB to a compromised file share. NTDS.dit file dump Trellix detected this activity via two high-fidelity signatures: anomalous SMB write patterns exceeding baseline volume and a custom exfiltration signature for large NTDS file transfers.  Behavioral detection flagged unexpected esentutl processes running outside maintenance windows, and protocol anomaly alerts triggered on shadow copy reads to C:\$VolumeShadowCopy. Through Trellix Wise, AI-driven alert correlation highlighted the progression from VSS creation to SMB upload, reducing analyst workload by 60% and cutting mean time to detect (MTTD) by 45%.  The theft of NTDS.dit poses an existential threat to Windows domains, providing attackers complete control over all credentials.    NTDS.dit archived for exfiltration Traditional defenses often miss the low-and-slow techniques employed during shadow copy creation and offline decryption. Follow us on Google News , LinkedIn , and X for daily cybersecurity updates. Contact us to feature your stories. The post Hackers Compromise Active Directory to Steal NTDS.dit Exfiltration that Leads to Full Domain Compromise appeared first on Cyber Security News .

CISA has warned U.S. federal agencies to secure their systems against ongoing attacks targeting a high-severity Windows kernel vulnerability.

📡 Il y a un incident cyber majeur aux US dont quasiment personne ne parle en France... le piratage de nombreux opérateurs télécoms ! Et il (va) entraîne(r) de… | 15 comments on LinkedIn

Broadcom has issued an urgent warning that two critical vulnerabilities in VMware vCenter Server are now being actively exploited in the wild.

L'Agence nationale de sécurité des systèmes d'information a dû intervenir dans 548 événements de cybersécurité pendant les Jeux olympiques et...-Club Data Protection

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to trigger a denial-of-service (DoS) condition.

This strategy in Cisco's journey to revolutionize how organizations leverage data to connect and protect every aspect of their operations.

Microsoft provides three more years of Windows Server 2012 Extended Security Updates (ESUs) until October 2026, allowing administrators more time to upgrade or migrate to Azure.

USB adapter for French dedicated energy meter Teleinfo