DCSync Attacks and How To Prevent Them

Risk Factors

Likelihood

Complexity

Business Impact

DCSync

What Are DCSync Attacks?

A DCSync attack uses commands in Microsoft Directory Replication Service Remote Protocol (MS-DRSR) to pretend to be a domain controller (DC) in order to get user credentials from another DC.

These attacks leverage what is a necessary function in Active Directory, which complicates attempts to prevent them. Large-scale networks require many DCs to function, and each of those DCs need to have up-to-date information. That requires a function allowing one DC to update another DC on any changes, like updated credential information.

Attackers subvert that necessary function by pretending to be a DC and using the DSGetNCChanges function to request password hashes. A common attack uses this method to get the KRBTGT hash, which brings them one step closer to getting a Kerberos "golden ticket."

DCSync requires a compromised user account with domain replication privileges. Once that is established, one can find a domain controller, tell it to replicate, and get password hashes from its subsequent response.

DCSync is a capability of the Mimikatz tool.


Protection Against DCSync Attacks

One method is to monitor Windows event logs for Event ID 4662. Logs are an important part of security, but using them to monitor across the IT environment has significant challenges.

Monitoring traffic moving across the network is an effective method for detecting DCSync attacks. Network detection and response has the added benefit of being able to detect DCSync attacks even if the attacker has disabled logging. An attacker can use attack toolsets such as Mimikatz or 'Invoke-Phant0m' to clear event logs or stop threads from collecting logs, making an added line of defense necessary.

To make DCSync attacks more difficult, be sure to carefully control the following privileges in AD:

  • Replicating Directory Changes
  • Replicating Directory Changes All
  • Replicating Directory Changes In Filtered Set

Detection of this attack can be enhanced using decryption. This attack relies on a number of different Microsoft protocols including Kerberos. Decryption of these protocols allows early detection of abnormal behavior and forged Kerberos tickets. For this reason, it's critical that security tools have decryption capabilities for all commonly encrypted Microsoft protocols such as Kerberos, MS-RPC, SMBv3, and more.


DCSync History

It used to be the case that, in order to run Mimikatz on a DC, attackers needed to first get admin access to that DC. The addition of DCSync bypasses that step, making Active Directory security more challenging.

DCSync was added as a feature of the Mimikatz tool in 2015 and was created by Benjamin Delpy and Vincent Le Toux.

The attack is often the next step after vulnerabilities, like CVE-2020-1472 Zerologon, provide attackers with the prerequisite privileges.

Domain Controllers

DCs have broad read and write privileges that can make them appealing targets for bad actors. That makes securing DCs of great importance and means security teams should be particularly concerned about vulnerabilities like PrintNightmare that can compromise DCs.