timurengin.com Open in urlscan Pro
162.159.153.4  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Open in app

Sign up

Sign in

Write


Sign up

Sign in




THE ANATOMY OF A DCSYNC ATTACK AND HOW TO PROTECT AGAINST IT

Timur Engin

·

Follow

5 min read
·
Mar 25, 2024

3



Listen

Share

This blog post was co-written with Mehmetcan TOPAL.

All attack methods demonstrated and used in this article are for educational
purposes; they have all been performed in a lab environment.

It’s rare to come across a company or organisation that doesn’t use Active
Directory. In Active Directory (AD), someone with Domain Admin or equivalent
level of authority has control over the entire domain. This control can be
exploited in various ways, such as spreading ransomware to machines connected to
the domain, stealing all user data (including password hashes), creating
privileged accounts for future activities and persistence, or selling access to
the domain to another threat actor. Unfortunately, many organisations do not
give necessary attention to defense measures in AD. This series will explain the
most common AD attack vectors, as well as how to mitigate and detect against
these vectors.

The first post of this series dove into Lateral Movement and can be found here.
This post will go into the details of a DCSync attack. In this type of attack,
the attacker simulates the behavior of a legitimate domain controller (DC) and
requests other DCs in the network to replicate sensitive information, such as
password hashes and user credentials, using the “Directory Replication Service
Remote Protocol (MS-DRSR)”. Since MS-DRSR is a valid and necessary function of
Active Directory, it cannot be disabled or turned off, making it a useful method
for attacker to avoid detection.


ANATOMY OF THE ATTACK

MS-DRSR is an RPC protocol used for replicating and managing data in Active
Directory. A DCSync attack can be carried out with Administrator, Domain, or
Enterprise Admin privileges, or within the scope of the
“DS-Replication-Get-Changes-All” permission.

The attacker selects a domain controller (DC) for DCSync, the attacker requests
the DC to replicate user information using GetNCChanges (MS-DRSR), each DC on
the network sends the current objects in a loop back to the DC where the attack
request was made whenever it receives a DSReplicaSync request. A DCSync attack
can be performed from a machine within the domain or remotely by running remote
commands.

The DCSync attack has the following three stages:

 1. A DC is identified as the target.
 2. The attacker makes a request to replicate user data using GetNCChanges
    method (MS-DRSR).
 3. When each DC on the network receives a DSReplicaSync request, they send the
    current objects back to the DC (or machine ‘acting’ as DC) where the
    malicious request was made, in a loop.

For the example scenarios the following will be used:

 * DC2 IP: 192.168.37.101
 * Domain Admin: UserCA
 * Domain User : UserD1

Using mimikatz locally on a domain joined machine

Use the lsadump:: /user:<username> command from mimikatz using the Domain Admin
account UserCA.



Remotely using Python impacket

It is possible to use a normal user account UserD1 with the ACL/permission
“Replicating Directory Changes All”.



It is possible to carry out a DCSync attack using the “secretsdump” module in
Python impacket with the impacket-secretsdump <domain_name>/<user>:<password>@IP
command.



[1], [2], [3], [4]


DETECTION

By default, DCSync privileges are granted to certain groups in Active Directory.
These are the Domain Controllers and Administrators groups, and their members
Enterprise Admins and Domain Admins groups also have these privileges.

Some applications used in the domain may need to have these privileges to
function properly. For example, for Entra Connect (formerly Azure AD Connect) to
function properly, it makes use of a service account with the permission to
replicate passwords of accounts synchronized from Active Directory to Entra ID
(formerly Azure AD).

To find accounts in the domain with the necessary permissions (ACL) for DCSync,
the following command can be used.

dsacls "" | Select-String "Replicating Directory Changes All"



Accounts/groups with this permission should either be managed like
high-privileged accounts (as detailed in Mitigating Lateral Movement part of the
Lateral Movement post) or have the ACL permission removed from the relevant
accounts/groups. Otherwise, increasing the attack surface area will make it
easier for attackers to access the credentials of Active Directory users.


DETECTION

All DCSync activities in the domain can be detected with Event ID 4662 An
operation was performed on an object. Both successful and unsuccessful DCSync
activities can be identified with these events. To filter for DCSync activities,
events containing the property 1131f6aa-9c07–11d1-f79f-00c04fc2dcd2
(DS-Replication-Get-Changes-All) in the Properties section need to be found. In
the event below, it can be seen that the UserCA account from the TEST0domain
performed DCSync from the DC2 machine.



Filtering machine accounts and certain service accounts (Entra Connect,
SharePoint, …) is beneficial to simplify event investigation as their DCSync
requests are not uncommon. The Kusto query below can be used to examine possible
DCSync events.

SecurityEvent
| where EventID == 4662 
| where Account !endswith "$" 
| where Account !startswith "MSOL_" 
| where ObjectServer == "DS" 
| where Properties contains "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" 
| project TimeGenerated, EventID, Account, Properties, Computer

It is also useful to observe which accounts in the domain have been granted the
DS-Replication-Get-Changes-All permission in order to detect if it has been
given in the domain. To detect when this permission is granted, Event ID 4670
Permissions on an object were changed should be collected.



DCSync attacks are a common way for attackers to harvest Active Directory
credentials. The permission to carry out a Directory Services full replication
should be limited to only accounts which need them, and these accounts should be
treated as privileged accounts. They should be segregated from non-privileged
accounts. To detect possible DCSync attacks, monitor for
DS-Replication-Get-Changes-All calls.


Photo by Volodymyr Hryshchenko on Unsplash




SIGN UP TO DISCOVER HUMAN STORIES THAT DEEPEN YOUR UNDERSTANDING OF THE WORLD.


FREE



Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.


Sign up for free


MEMBERSHIP



Access the best member-only stories.

Support independent authors.

Listen to audio narrations.

Read offline.

Join the Partner Program and earn for your writing.


Try for 5 $/month
Active Directory
Cybersecurity
Mitre Attack
Dcsync


3

3



Follow



WRITTEN BY TIMUR ENGIN

30 Followers

Mostly cybersecurity, incident response, articles in English and Turkish

Follow




MORE FROM TIMUR ENGIN

Timur Engin


LATERAL MOVEMENT


PROTECT AGAINST LATERAL MOVEMENT BY CLOSING POSSIBLE MOVEMENT PATHS, STRICT
LOGON CONTROLS, AND EMPLOYING DETECTIONS TO IDENTIFY PATHS.

14 min read·Jan 3, 2024

87





Timur Engin


ACTIVE DIRECTORY SALDIRI VEKTÖRLERI, SAVUNMA VE TESPIT YÖNTEMLERI


BU BLOG MEHMETCAN TOPAL ILE BERABER YAZILMIŞTIR.

27 min read·Mar 1, 2023

462





Timur Engin


KUSTO QUERY LANGUAGE (KQL) — 1


KUSTO QUERY LANGUAGE (KQL) MICROSOFT’UN BULUT PLATFORMLARINDA KULLANILAN SORGU
DILI. KQL VERI ANALIZI, MODELLEME, VERI KEŞIF VE FONKSIYON…

4 min read·Feb 1, 2023

50





Timur Engin


THINKING BEYOND INITIAL ACCESS


I’VE HAD EXPERIENCES WITH CUSTOMERS WHERE EVEN BRUTE FORCE ATTEMPTS ON LOCAL
ADMIN ACCOUNTS OF PUBLIC FACING SERVERS HAVE CAUSED A STIR…

4 min read·Jan 4, 2023


See all from Timur Engin



RECOMMENDED FROM MEDIUM

Rich


HOW TO SETUP AN AD LAB IN AZURE


TL;DR IAC & EXPLANATION OF HOW TO SETUP AN AD LAB IN AZURE WITH 2 DCS & 1 DOMAIN
WORKSTATION.

12 min read·Dec 24, 2023

13





cY83rR0H1t


DETECTING KERBEROASTING USING GETUSERSPNS.PY


IN ACTIVE DIRECTORY, SERVICE PRINCIPAL NAMES (SPNS) ARE USED TO IDENTIFY
SERVICES AND APPLICATIONS. THESE SPNS ARE REGISTERED TO USER OR…

4 min read·Apr 16, 2024

8






LISTS


TECH & TOOLS

16 stories·245 saves


MEDIUM'S HUGE LIST OF PUBLICATIONS ACCEPTING SUBMISSIONS

312 stories·2865 saves


STAFF PICKS

656 stories·1031 saves


NATURAL LANGUAGE PROCESSING

1498 stories·1020 saves


Giulio Pierantoni


NTLMV1 = DOMAIN COMPROMISE


IN THIS BLOG WE SEE MULTIPLE SCENARIOS WHERE NTLMV1 IS LEVERAGED TO COMPROMISE A
DOMAIN THROUGH THE BYPASS OF SMB AND LDAP SIGNING

12 min read·Apr 17, 2024

99





Jared Atkinson

in

Posts By SpecterOps Team Members


PART 14: SUB-OPERATIONS


WHEN THE OPERATION IS NOT ENOUGH

14 min read·4 days ago

3





Justin Duru


ACTIVE DIRECTORY DETECTION & MONITORING LAB PROJECT USING SPLUNK


SIEM

15 min read·Mar 28, 2024

10





Pedro Figueiredo Reis


BLOCKING MALICIOUS IP USING WAZUH + TELER + ABUSEIPDB


—

3 min read·Dec 12, 2023

3

1



See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams


To make Medium work, we log user data. By using Medium, you agree to our Privacy
Policy, including cookie policy.