![]() Blocking directory replication would complicate authentication across the enterprise. Directory replication activities can create logs, but attackers can also clear event logs or stop threads from collecting logs with Mimikatz or Invoke-Phant0m tools.ĮxtraHop automatically detects unusual RPC traffic that is associated with directory replication between DCs and devices that do not usually submit these requests.īecause DCSync takes advantage of normal AD functionality, this attack can be challenging to prevent. Network monitoring is the primary method for detecting DCSync because RPC is a network protocol. Mimikatz locates the DC for the target domain and sends RPC requests from the compromised client that request the password hash from that DC. The action of calling the interface and operation runs the procedure.Īfter acquiring the necessary privileges, the attacker runs the lsadump::dcsync command in Mimikatz to collect the password hash for their target. When an administrator wants to retrieve a recently updated password hash from a DC, the administrator's client sends an RPC request to call the interface and operation (drsuapi:DRSGetNSChanges) on the DC server. The interfaces are located on the DC server, and the operation is similar to a procedure command. ![]() For example, MS-DRSR includes RPC interfaces (such as drsuapi) with operations (such as DRSGetNCChanges). MS-DRSR is based on the remote procedure call (RPC) network protocol, which enables communication between a client and server. How DCSync WorksĭCSync leverages the Microsoft Directory Replication Service Remote (MS-DRSR) protocol to request replicated data from a DC. DCSync can also be a precursor for dangerous attacks such as golden ticket, which is made possible after collecting the password hash from the KRBTGT account (an important administrative account in AD). It might be a next step after exploiting vulnerabilities such as Zerologon, which provides attackers with the necessary privileges. While compromising an administrator account (or escalating privileges) presents challenges for the attacker, requesting replicated data from the DC is more convenient than compromising a DC.ĭCSync is frequently coupled with other attacks. If a user changes their password, directory replication ensures that these account credentials are updated across domains and that authentication goes smoothly for that user.Ī successful DCSync attack requires access to an administrator account with Replicate Directory Changes privileges which allow that account to collect password hashes from the DC. DCSync was created by Benjamin Delpy and Vincent Le Toux in 2015 and is a feature of the Mimikatz tool.ĭirectory replication is a necessary process that helps administrators manage account information across multiple DCs in an IT environment, which might contain several domains. This method locates a DC, requests directory replication, and collects password hashes from the subsequent response. What is DCSync?ĭCSync is a technique used to get user credentials. Learn the basics of how a DCSync attack works, how ExtraHop Reveal(x) detects DCSync traffic, and how to prevent these attacks. Instead of breaking into a DC, an attacker takes advantage of normal processes (such as password replication between DCs) to collect password hashes by impersonating a DC.īecause DCSync is a stepping-stone for other dangerous attacks, detecting DCSync is important. The DC is a treasure trove for attackers, but breaking into a DC to steal this information is difficult.ĭCSync is a technique that makes attacks against the DC easier. Valuable account information-such as password hashes-is stored on servers called domain controllers (DCs). Active Directory (AD) is an authentication service for managing computer and network accounts across an enterprise.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |