DCSync attacks: Do not replicate me
- CyberSecurity Simplified
- Jul 23, 2021
- 4 min read
Written by Jean-Camille LOISEAU & Anup Tripathi | Published 23 july 2021
Domain controllers (DC) are among the most important servers for your organization. They handle authentication requests and verify users on computer networks. Domains Controllers sit at the top of (and enable) the IT hierarchy where your company organizes and secure all its users, servers and computers within the network.
Because they hold keys to the Active Directory (AD) kingdom, they are obviously a prime target for attack and DCSync (MITRE: T003) is one of many techniques used to access credentials and other sensitive information.
DCSync became a very popular attack method since it was packaged into Mimikatz toolset in 2015. Cyber security team must therefore make sure to prevent, detect and mitigate any DCSync attack on their network.
What it a DCSync attack?
DCSync is a method to abuse a Windows Domain Controller's application programming interface (API) to simulate the replication process from a remote domain controller.
It begins with a series of commands sent to an DC on your network and simulates the behavior of a domain controller that asks other domain controllers to replicate information by using the Microsoft Directory Replication Service Remote Protocol (MS-DRSR).
This protocol was originally implemented in Windows 2000 Server operating system and is available in all subsequent server releases. it enables multiple DCs to stay in "sync" and provide uniform, high-speed connectivity throughout the network.
In order to leverage DCScync, the attacker must already have acces to a privileged account with domain replication rights in order to leverage MS-DRSR protocol. this categorizes DCSync as a late-stage kill chain attack and means the attacker already has a pretty strong foothold in your network and you should worry about fixing that too.
Why should I care about DCSync attack?
Once an attacker successfully completed a DCSync attack he basically has the ability to steal password data, access current and historical hashes of accounts such as the Kerberos KRBTGT account that handles, encrypt and sign every single Kerberos ticket requests for your domain. The attacker now has the ability to leverage golden ticket attack. In other words, if he's not the captain yet, he's to about be.
How does a DCSync attack unfold?
It's important to repeat that for the DCSync attack to occur, the attacker already entered your network, performed recon to understand its structure and has managed to elevate its privileges to a very high level already either through account compromise or privilege escalation.
DCSync requires the attacker to have access to an account (usually one of Administrators, Domain Admins, Enterprise Admins) with the below privileges:
Replicating Directory Changes
Replicating Directory Changes All
Replicating Directory Changes In Filtered Set
The attacker then leverage this compromised account to perform a discovery of victim DC in the specified target domain by submitting a "GetNCChanges" replication request function using the MS-DRSR Protocol.
The primary DC in that victim domain then automatically respond to the function by starting a replication cycle and shares up-to-date AD objects from all the DCs in the domain thus sharing the credentials of all other DCs back to the compromised account.
How do I prevent a DCSync attack?
The MS-DRSR Protocol is important to maintain valid and necessary functions of Active Directory, It cannot be simply turned off or disabled.
What you can do to specifically prevent this type of attack is to maintain discipline and proper control of your privileged accounts:
Follow least privilege access model and maintain an up-to-date list of all account possessing the "Replicating Directory Changes" rights.
Ensure segregation of highly privileged domain admin accounts in separate group from that of users and that of admin account.
Use Privilege Account Solution (PAM) to track and monitor the use of any privileged account and monitor for any usage of these account bypassing your PAM solution.
Ensure that all privileged account have complex, unique passwords across all systems on the network (ideally managed within PAM solution).
How do I detect a DCSync attack?
You must leverage your organization's SIEM/SOAR platforms to collect the required security logs and develop a Use Case/Rule to detect and alert you of DCSync attacks symptoms.
Below steps explain the basic use case logic to detect DCSync attack:
Step 1: Collect Windows Event logs related to Event ID 4662: An operation was performed on an object. This event ID is very noisy by default; therefore, you need to filter the logs to collect only the events relevant to DCSync attack Properties (mentioned below in Step 2)
Step 2: Create UC/Rule with below conditions:
Event ID: 4662
AND
Properties: 'Replicating Directory Changes all' OR Properties: '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
Note: You can use Replicating Directory Changes or Replicating Directory Changes in filtered set too but that will likely lead to more noise and false positive).
Step 3: Exclude all of your organization's known DC hosts to avoid false positives and avoid capturing legitimate activity.
How do I respond to a DCSync attack alert?
Once an alert triggers, your response team must first identify the source hostname and/or source username from the logs and alert details along with any enrichment value you can collect about where the event originated from.
If it is a new host trying to synchronize with an existing DC, verify with your Active Directory Team if the new DC addition is a legitimate activity or a potentially rogue host attempt.
Check the source username linked to this activity as an existing domain admin user’s account would have been compromised to perform a DCSync attack.
In case of likely true positive, proceed with locking the account and flows and initiate Containment and Neutralization steps.
--
Related content:
Comments