DCSync

How to detect, prevent, and mitigate DCSync attacks

DCSync is a command within a Mimikatz that an attacker can leverage to simulate the behavior of Domain Controller (DC). More simply, it allows the attacker to pretend to be a DC and ask other DC’s for user password data.

DCSync attacks are difficult to prevent. The DCSync attack asks other domain controllers to replicate information using the Directory Replication Service Remote Protocol (MS-DRSR). Because MS-DRSR is a valid and necessary function of Active Directory (AD), it cannot be turned off or disabled. Additionally, while Domain Replication capabilities are controlled by the Replicating Changes permissions set on the domain and are limited to the Domain Admins, Enterprise Admins, Administrators, and DC groups by default, it is possible for any account or group to be granted these rights.

Request a Free Trial

Powered by ChronoForms - ChronoEngine.com

STEALTHbits’ DCSync Solution

STEALTHbits’ products provide a multitude of ways to detect, prevent, and mitigate the Kerberoasting attack.

Detect DCSync Attack

Detection of DCSync is possible by looking for replication requests against domain controllers that are not originating from other domain controllers.

APPROACH

Domain Controller Impersonation

DESCRIPTION

Monitor for Active Directory replication traffic coming from a machine that is not a domain controller.

PRODUCT: StealthDEFEND

Prevent DCSync Attack

Prevention of DCSync is possible by blocking replication requests against domain controllers that are not originating from other domain controllers.

APPROACH #1

Block Domain Controller Impersonation

DESCRIPTION

Monitor for Active Directory replication traffic coming from a machine that is not a domain controller.

PRODUCT: StealthDEFEND

APPROACH #2

Restrict Domain Permission Changes

DESCRIPTION

Monitor and optionally block the ability to change permissions to the Domain. By restricting users adding permissions for replication, it will reduce the ability to create persistence where non-administrator accounts can perform the DCSync attack.

PRODUCT: StealthDEFEND

DOWNLOAD OUR COMPLETE ATTACK-TO-PRODUCT MAPPING GUIDE

Download

Mitigate DCSync Attack

To mitigate the DCSync attack it is necessary to restrict domain replication permissions. By default, Domain Admins and other privileged users will have these rights but they can access account information several other ways. It is important to limit other users from having these sensitive permissions.

APPROACH

Secure Active Directory Permissions

DESCRIPTION

Review the following Active Directory permission applied at the domain level:

  • Replicating Directory Changes
  • Replicating Directory Changes All

These rights provide attackers the ability to obtain the password hashes using the DCSync technique. Regularly review and remove unnecessary permissions.

PRODUCT: StealthAUDIT

Seeing is believing.

Request a Demo

Resources

StealthAUDIT for Active Directory

Data Sheet

Learn More

StealthDEFEND for Active Directory

Data Sheet

Learn More

StealthINTERCEPT Enterprise Password Enforcer

Data Sheet

Learn More

Free Risk Analysis STEALTHbits' Credentials and Data Security Assessment is your Business-Justification-in-a-Box!x