T1003.006: DCSync
Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API) to simulate the replication process from a remote domain controller using a technique called DCSync.
Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticket or change an account's password as noted in Account Manipulation.
DCSync functionality has been included in the "lsadump" module in Mimikatz. Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
pt_nad: PT-CR-732: NAD_DCSync_Attack: PT NAD detected possible exploitation of the DCSync attack
mitre_attck_cred_access: PT-CR-2076: Netlogon_Auth: Authentication using the insecure Netlogon protocol
active_directory_attacks: PT-CR-595: DCSync_Privileges_Given: A user granted privileges to carry out the DCSync attack to a group of users
active_directory_attacks: PT-CR-85: Replication_to_unauthorized_DRA: Unauthorized DC replication, which allows you to synchronize changes made on one domain controller with other domain controllers. This may indicate a DCSync attack and may allow an attacker to obtain the credentials of other domain users
active_directory_attacks: PT-CR-594: DCSync_Attack: The exploitation of the DCSync attack has been discovered, which allows an attacker to impersonate a domain controller to obtain user credentials. Using this data will allow an attacker to move horizontally or gain access to confidential information
Detection
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Content | Description | Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Flow | Description | Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
---|
ID | DS0026 | Data source and component | Active Directory: Active Directory Object Access | Description | Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. Note: Domain controllers may not log replication requests originating from the default domain controller account. |
---|
Mitigation
ID | M1015 | Name | Active Directory Configuration | Description | Manage the access control list for "Replicating Directory Changes" and other permissions associated with domain controller replication. |
---|
ID | M1027 | Name | Password Policies | Description | Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
---|
ID | M1026 | Name | Privileged Account Management | Description | Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. |
---|