What Are DCSync Attacks?
A DCSync attack uses commands in Microsoft Directory Replication Service Remote Protocol (MS-DRSR) to pretend to be a domain controller (DC) in order to get user credentials from another DC.
These attacks leverage what is a necessary function in Active Directory, which complicates attempts to prevent them. Large-scale networks require many DCs to function, and each of those DCs need to have up-to-date information. That requires a function allowing one DC to update another DC on any changes, like updated credential information.
Attackers subvert that necessary function by pretending to be a DC and using the DSGetNCChanges function to request password hashes. A common attack uses this method to get the KRBTGT hash, which brings them one step closer to getting a Kerberos "golden ticket."
DCSync requires a compromised user account with domain replication privileges. Once that is established, one can find a domain controller, tell it to replicate, and get password hashes from its subsequent response.
DCSync is a capability of the Mimikatz tool.
Protection Against DCSync Attacks
Monitoring traffic moving across the network is an effective method for detecting DCSync attacks. Network detection and response has the added benefit of being able to detect DCSync attacks even if the attacker has disabled logging. An attacker can use attack toolsets such as Mimikatz or 'Invoke-Phant0m' to clear event logs or stop threads from collecting logs, making an added line of defense necessary.
To make DCSync attacks more difficult, be sure to carefully control the following privileges in AD:
- Replicating Directory Changes
- Replicating Directory Changes All
- Replicating Directory Changes In Filtered Set
It used to be the case that, in order to run Mimikatz on a DC, attackers needed to first get admin access to that DC. The addition of DCSync bypasses that step, making Active Directory security more challenging.
DCSync was added as a feature of the Mimikatz tool in 2015 and was created by Benjamin Delpy and Vincent Le Toux.
The attack is often the next step after vulnerabilities, like CVE-2020-1472 Zerologon, provide attackers with the prerequisite privileges.