DCSync Attack: Definition, Examples, and Prevention
Risk Factors
Likelihood
Complexity
Business Impact
What Are DCSync Attacks?
A DCSync attack uses commands in Microsoft Directory Replication Service Remote Protocol (MS-DRSR) to pretend to be a domain controller (DC) in order to get user credentials from another DC.
These attacks leverage what is a necessary function in Active Directory, which complicates attempts to prevent them. Large-scale networks require many DCs to function, and each of those DCs need to have up-to-date information. That requires a function allowing one DC to update another DC on any changes, like updated credential information.
Attackers subvert that necessary function by pretending to be a DC and using the DSGetNCChanges function to request password hashes. A common attack uses this method to get the KRBTGT hash, which brings them one step closer to getting a Kerberos "golden ticket."
DCSync requires a compromised user account with domain replication privileges. Once that is established, one can find a domain controller, tell it to replicate, and get password hashes from its subsequent response.
DCSync is a capability of the Mimikatz tool.
Examples of DCSync Attacks
Golden Ticket Attack
An attacker uses DCSync to get the KRBTGT hash, which allows them to control the Key Distribution Service. They can then create Ticket Granting Tickets (TGTs) for every account in the domain.
Account Manipulation
Credential access is a jumping off point for many attacks. Account manipulation encompasses many techniques (like DCSync) to get and maintain access to credentials.
Living off the Land (LotL) Attacks
DCSync can be one component of LotL attacks, which use legitimate processes on the network to achieve their aims, making detection more difficult.
Protection Against DCSync Attacks
One method is to monitor Windows event logs for Event ID 4662. Logs are an important part of security, but using them to monitor across the IT environment has significant challenges.
Monitoring traffic moving across the network is an effective method for detecting DCSync attacks. Network detection and response has the added benefit of being able to detect DCSync attacks even if the attacker has disabled logging. An attacker can use attack toolsets such as Mimikatz or 'Invoke-Phant0m' to clear event logs or stop threads from collecting logs, making an added line of defense necessary.
To make DCSync attacks more difficult, be sure to carefully control the following privileges in AD:
- Replicating Directory Changes
- Replicating Directory Changes All
- Replicating Directory Changes In Filtered Set
Detection of this attack can be enhanced using decryption. This attack relies on a number of different Microsoft protocols including Kerberos. Decryption of these protocols allows early detection of abnormal behavior and forged Kerberos tickets. For this reason, it's critical that security tools have decryption capabilities for all commonly encrypted Microsoft protocols such as Kerberos, MS-RPC, SMBv3, and more.
DCSync History
It used to be the case that, in order to run Mimikatz on a DC, attackers needed to first get admin access to that DC. The addition of DCSync bypasses that step, making Active Directory security more challenging.
DCSync was added as a feature of the Mimikatz tool in 2015 and was created by Benjamin Delpy and Vincent Le Toux.
The attack is often the next step after vulnerabilities, like CVE-2020-1472 Zerologon, provide attackers with the prerequisite privileges.
Domain Controllers
DCs have broad read and write privileges that can make them appealing targets for bad actors. That makes securing DCs of great importance and means security teams should be particularly concerned about vulnerabilities like PrintNightmare that can compromise DCs.
