What are DCSync and DCShadow Active Directory attacks?

As you probably know already, a domain controller is a server that responds to security authentication requests within a Windows Server domain. A DC will host the Active Directory Domain Services (AD DS) database, which is used to manage users and computers and authenticate them to other services on the same domain.

Both DCSync and DCShadow attacks are what are referred to as “late-stage kill chain attacks”, and both involve compromising domain controllers in an attempt to either extract credentials or other valuable data, or register/unregister rogue DCs in order to launch other types of attacks.

How the DCSync Attack Works in Active Directory

The DCSync attack is where an attacker impersonates an Active Directory domain controller to obtain authentication credentials from other domain controllers. Were an attacker to gain privileged access to a DC, they will have complete control over the other AD user accounts and services on the domain, and the chances are, they won’t stop there.

Once the attacker is able to gain control over the DC, they will likely try to use their privileged access to compromise other servers on the network. This might involve taking advantage of software vulnerabilities or server mis-configurations with the intention of gaining access to valuable data, such as PII or intellectual property.

Alternatively, they might choose to infect the server with Ransomware in order to extort the organization who is wishing to regain control of the DC.

In simple terms, DCSync attacks work by discovering Domain Controllers and submitting a replication request using the GetNCChanges Function. This prompts the primary Domain Controller to replicate the credentials of other DCs back to the compromised domain administrator using the Directory Replication Service (DRS) Remote Protocol.

The DCSync attack is only possible if the account which the hacker has compromised has replication permissions within Active Directory. The domain controller groups which have replication privileges typically include domain administrators, enterprise administrators, administrators, and domain controller groups.

DCSync attacks leverage commands used by an open-source malware application called Mimikatz, which in turn utilizes commands within the Microsoft Directory Replication Service Remote Protocol (MS-DRSR).

How the DCShadow Attack Works in Active Directory

As with the DCSync attack, the DCShadow attack leverages commands within the Mimikatz lsadump module, and is used to register “rogue” domain controllers for the purpose of replicating changes to other domain controllers without being detected. It even allows the attacker to unregister the rouge DC in order to further cover their tracks. A DCShadow attack can be used to replicate changes to SIDHistory, AdminSDHolder, Passwords, Account Details, Group Membership and more.

How to Detect and Respond to DCSync and DCShadow Attacks

Aside from monitoring network traffic for suspicious activity, you will need to ensure that you know exactly who has access to what domain controllers, what permissions they have and why they have those permissions.

Given that these attacks rely on exploiting Active Directory’s replication protocols, you will need to pay close attention to all permissions that enable replication. You will need to continuously monitor all Domain Replication and Change Events, including replication permission changes and receive real-time alerts when they change.

For DCSync attacks, you need to look for patterns of behaviour that indicate that a domain controller is replicated to a non-domain controller. For DCShadow attacks, you need to pay attention to the registration of domain controllers, as well as the traffic that is being replicated.

It should be noted that simply disabling the suspected user account will not be enough, as it’s likely that the user has already used their elevated privileges to compromise other accounts and services.

In which case, you will need to reset all credentials relating to the affected domain controllers, and reset all relevant permissions back to their original state.

If you’re concerned about the security of your Active Directory, see how Lepide can help you track critical Active Directory changes being made to permissions and configuration. Schedule a demo of the Lepide Data Security Platform today.