{
	"id": "1ff42a6f-def9-4177-86c1-3b763966179a",
	"created_at": "2026-04-06T00:09:49.156686Z",
	"updated_at": "2026-04-10T03:21:03.012834Z",
	"deleted_at": null,
	"sha1_hash": "206ea9f27d6ef9eedc4c3005b17e5bc6901174ec",
	"title": "TrickBot Now Steals Windows Active Directory Credentials",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1009050,
	"plain_text": "TrickBot Now Steals Windows Active Directory Credentials\r\nBy Lawrence Abrams\r\nPublished: 2020-01-23 · Archived: 2026-04-05 13:26:26 UTC\r\nA new module for the TrickBot trojan has been discovered that targets the Active Directory database stored on compromised\r\nWindows domain controllers.\r\nTrickBot is typically download and installed on a computer through other malware. This most common malware that installs\r\nTrickBot is Emotet, which is distributed through spam with malicious Word document attachments.\r\nOnce TrickBot is installed, it will harvest various information from a compromised computer and will then attempt to spread\r\nlaterally throughout a network to gather more data.\r\nhttps://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nTo perform this behavior, TrickBot will download various modules that perform specific behavior such as stealing cookies,\r\nbrowser information, OpenSSH keys, and spreading to other computers.\r\nAs part of the malware's continued evolution, a new TrickBot module called 'ADll' was discovered by security researcher\r\nSandor Nemes that executes a variety of Windows commands that allows the trojan to steal a Windows Active Directory\r\ndatabase.\r\nDumping the Active Directory\r\nBefore we get to how TrickBot steals an Active Directory database to harvest login credentials, we first need to give a bit of\r\nbackground about a special file called ntds.dit.\r\nWhen a server is promoted as a domain controller, the Active Directory database will be created and saved to the default\r\nC:\\Windows\\NTDS folder on the DC.\r\nInside this folder is a file called ntds.dit, which is a database that contains all Active Directory services information such as\r\nusers, passwords, groups, computers, etc.\r\nAs this information is sensitive, Windows encrypts the data using a BootKey stored in the System hive of the Registry. As\r\nthe ntds.dit is always opened by the domain controller, it also not possible to access it normally using standard file\r\noperations.\r\nTo be able to work with the ntds.dit database while it is open, Windows domain controllers have a tool called ntdsutil that\r\nallows administrators to perform database maintenance.\r\nndtsutil command\r\nUsing ntdsutil, administrators can perform the \"ifm\" (Install from Media) command to create a dump of the Active\r\nDirectory. This command is meant to be used to create installation media that can quickly set up new Domain controllers\r\nwithout having to wait for the Active Directory to replicate.\r\nIf TrickBot is able to gain administrative access to a domain controller, it will abuse this command to create a copy of the\r\ndomain's Active Directory database and steal it.\r\nTrickBot steals the Active Directory\r\nTrickBot's new ADll module takes advantage of the \"Install from Media\" command to dump the Active Directory database\r\nand various Registry hives to the %Temp% folder. These files are then compressed and sent back to the attackers.\r\nhttps://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/\r\nPage 3 of 7\n\nIn a conversation with BleepingComputer, Nemes explained that the ADll module will generate an 8 character ID based on\r\nthe TrickBot client ID.\r\nThe module will then use this ID as the filename argument for the following executed commands:\r\nntdsutil \"ac in ntds\" \"ifm\" \"cr fu %TEMP%\\[generated-id]0.dat\" q q\r\nreg save HKLM\\SAM %TEMP%\\[generated-id]1.dat /y\r\nreg save HKLM\\SECURITY %TEMP%\\[generated-id]2.dat /y\r\nreg save HKLM\\SYSTEM %TEMP%\\[generated-id]3.dat /y\r\nWhen executed, the commands will dump the Active Directory database as well as the SAM, Security, and SYSTEM hives.\r\nWhen done, Nemes says the module will check if the files exist, compress them, and then exfiltrate the files back to the\r\nattacker's servers.\r\nNow that the attackers have access to these files, they can decrypt the Active Directory database and dump the usernames,\r\npassword hashes, computer names, groups, and other data.\r\nThis data can then be used to further spread laterally throughout the network and is especially helpful for the actors behind\r\nthe Ryuk Ransomware, which is typically the final payload for TrickBot infections.\r\nIllustrating how this data helps attackers\r\nTo illustrate how the TrickBot module works and what data it can gather using, BleepingComputer set up a small Windows\r\ndomain.\r\nOnce set up, we execute the first command of \" ntdsutil \"ac in ntds\" \"ifm\" \"cr fu %TEMP%\\H00i0Z000.dat\" q q \",\r\nwhich dumps the Active Directory database to the %TEMP%\\H00i0Z000.dat folder.\r\nDumping the Active Directory database\r\nWe also executed the module's reg commands to save the SAM, Security, and SYSTEM hives to files.\r\nreg save HKLM\\SAM %TEMP%\\H00i0Z001.dat /y\r\nreg save HKLM\\SECURITY %TEMP%\\H00i0Z002.dat /y\r\nreg save HKLM\\SYSTEM %TEMP%\\H00i0Z003.dat /y\r\nWhen done, our %Temp% folder contained a folder containing the Active Directory database and three dat files that are the\r\nsaved Registry hives.\r\nhttps://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/\r\nPage 4 of 7\n\nSaved data in %Temp% folder\r\nInside the H00i0Z001.dat folder is the dumped ntds.dit database file.\r\nThe dumped Active Directory database\r\nUsing the DSInternals PowerShell modules we can easily extract the BootKey decryption key from the System hive using\r\nthe \" Get-Bootkey -SystemHivePath '.\\H00i0Z003.dat '\" command.\r\nExtracting BootKey from SYSTEM hive\r\nFinally, we execute the DSInternals command \" Get-ADDBAccount -All -DBPath 'C:\\Users\\sanje\\Desktop\\NTDS\\ntds.dit'\r\n-Bootkey [key] \" to decrypt the database and view all of the accounts, including their NTML password hashes, as seen\r\nbelow.\r\nhttps://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/\r\nPage 5 of 7\n\nDumping user password hashes from the ntds.dit file\r\nAttackers can then take these hashes and run them through cracking programs to determine the actual plain-text passwords\r\nfor these users.\r\nThese account credentials can then be used by the attackers to compromise other devices on the network.\r\nFurther information\r\nActive Directory exploitation is a serious subject and is important for domain administrators to become familiarized with it.\r\nI recommend the \"Att\u0026ckingActive Directory for fun and profit\" by Huy Kha to learn about different ways that attackers\r\ncan access data stored in the Active Directory.\r\nHead of SentinelLabs Vitali Kremez also has a very informative video on how Trickbot and Ryuk exploit Active Directory\r\nservices for their benefit.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nhttps://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/\r\nPage 6 of 7\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/\r\nhttps://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/"
	],
	"report_names": [
		"trickbot-now-steals-windows-active-directory-credentials"
	],
	"threat_actors": [],
	"ts_created_at": 1775434189,
	"ts_updated_at": 1775791263,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/206ea9f27d6ef9eedc4c3005b17e5bc6901174ec.pdf",
		"text": "https://archive.orkl.eu/206ea9f27d6ef9eedc4c3005b17e5bc6901174ec.txt",
		"img": "https://archive.orkl.eu/206ea9f27d6ef9eedc4c3005b17e5bc6901174ec.jpg"
	}
}