In this blog post, we’ll be talking about the DCSync attack and how we can use StealthDEFEND to detect and respond to this type of attack. DCSync was the topic of previous STEALTHbits Blog post, so we’ll start this post with a review of DCSync and then cover what we can do about this attack with StealthDEFEND.
What is DCSync?
DCSync is a late-stage kill chain attack that allows an attacker to simulate the behavior of Domain Controller (DC) in order to retrieve password data via domain replication. Once an attacker has access to a privileged account with domain replication rights, the attacker can utilize replication protocols to mimic a domain controller.
DCSync itself is a command within Mimikatz and relies on utilizing specific commands within the Microsoft Directory Replication Service Remote Protocol (MS-DRSR) to simulates the behavior of a domain controller and asks other domain controllers to replicate information by using the Directory Replication Service Remote Protocol (MS-DRSR). Utilizing these protocols, this attack takes advantage of valid and necessary functions of Active Directory, which cannot be turned off or disabled.
Generally speaking, the DCSYNC attack works in the following way:
- Discovery of a Domain Controller to request replication.
- User Replication is requested using the GetNCChanges Function.
- DC returns replication data to the requestor including password hashes.
The classic use case for DCSync is as a precursor to a Golden Ticket attack, as it can be used to retrieve the KRBTGT HASH.
It is important to note that some very privileged rights are required in order to execute this attack. This is why this attack is classified as occurring late in the kill chain attack, and typically it will take some time for an attacker to obtain these permissions.
Generally, Administrators, Domain Admins, Enterprise Admins have the rights required but more specifically the following rights are required:
- Replicating Directory Changes
- Replicating Directory Changes All
- Replicating Directory Changes In Filtered Set
DCSync Detection with StealthDEFEND
StealthDEFEND has a specifically crafted threat to deal with DCSync. StealthDEFEND will actively monitor all Domain Replication traffic for signs of DCSync, and does not rely on Event Log or network packet capture. The primary method used to detect DCSync is finding patterns of behavior matching DCSync and where Replication is occurring between a Domain Controller and a NON-Domain Controller.
The DCSync Threat will display a summary of activity that generated the threat as well as a visualization that illustrates which user perpetrated the attack, the domain, and user-targeted, as well as supporting evidence of the attack.
In this example, we have identified Domain Replication activity where the requesting source is a Workstation that requested replication for a privileged account.
If a perpetrator executes multiple DCSync attacks the threat will be appended with this information to show that multiple attacks were executed.
DCSync Threat Response with StealthDEFEND
Given the fact that in order to successfully execute DCSync, an attacker already needs elevated privilege, an immediate response to contain further damage by an attacker is needed.
A Standard playbook response of disabling users may not be enough in itself, as by the time this has happened the attacker likely has a host of other resources and options available to them.
The Automated Context Injection capabilities of StealthDEFEND provides us with the perpetrator, sources, targets, and query information related to the DCSync attack that can be utilized by our response steps. In the eventuality of a DCSync attack, the best first step is to communicate that the attack has occurred and obtain the right information in front of the right people in the organization. By integrating with a number of third-party products such as Slack, Microsoft Teams, and ServiceNow we are able to facilitate this.
StealthINTERCEPT Blocking policies can be used to prevent the perpetrating account or workstation from executing additional replication, which may help slow down an attacker and give responders more time to completely eliminate the threat.