Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
DCSync is a well-known, advanced, and effective technique for collecting user credentials. Evidence of a DCSync attack points to an advanced persistent threat, where the attacker has an established presence on the network, has escalated their privileges to administrative domain levels, and is close to achieving their ultimate attack objective.
The system might change the risk score for this detection.
Kill Chain
Risk Score
88
Domain controllers (DCs) can provide an attacker with critical information about your network. DCSync is an attack technique that is included in attack tools such as Mimikatz. DCSync enables an attacker to take advantage of normal processes such as password replication between DCs to collect password hashes by impersonating a DC. First, an attacker infiltrates the network and acquires domain replication privileges (1). The attacker runs an attack tool to perform the DCSync technique. This technique sends Microsoft remote procedure call (MS-RPC) requests (such as drsuapi:DRSGetNCChanges) to collect replicated password hashes (2). DCSync can be a precursor for dangerous attacks such as golden ticket, where the password hash is collected from the important KRBTGT administrative account.
Strictly manage the users and groups who have domain permissions that allow information replication from a domain controller (DC)
Implement strict login controls on devices with highly privileged users to reduce the exposure of credentials stored in memory to attackers
Strengthen the security on Windows devices by enforcing strong authentication policies and creating a list of approved applications
Collect information about DC changes with Windows event forwarding and remote aggregation of host-based logs
