Introducing StealthAUDIT 11.5! Complete your cloud security puzzle. LEARN MORE

DCSync

How to detect, prevent, and mitigate DCSync attacks

DCSync is a command within a Mimikatz that an attacker can leverage to simulate the behavior of Domain Controller (DC). More simply, it allows the attacker to pretend to be a DC and ask other DC’s for user password data.

DCSync attacks are difficult to prevent. The DCSync attack asks other domain controllers to replicate information using the Directory Replication Service Remote Protocol (MS-DRSR). Because MS-DRSR is a valid and necessary function of Active Directory (AD), it cannot be turned off or disabled. Additionally, while Domain Replication capabilities are controlled by the Replicating Changes permissions set on the domain and are limited to the Domain Admins, Enterprise Admins, Administrators, and DC groups by default, it is possible for any account or group to be granted these rights.

    Request A Free Trial


    Stealthbits’ DCSync Solution

    Stealthbits’ products provide a multitude of ways to detect, prevent, and mitigate a DCSync attack.

    Detect DCSync Attack

    Detection of DCSync is possible by looking for replication requests against domain controllers that are not originating from other domain controllers.

    APPROACH

    Domain Controller Impersonation

    DESCRIPTION

    Monitor for Active Directory replication traffic coming from a machine that is not a domain controller.

    PRODUCT: StealthDEFEND

    Prevent DCSync Attack

    Prevention of DCSync is possible by blocking replication requests against domain controllers that are not originating from other domain controllers.

    APPROACH #1

    Block Domain Controller Impersonation

    DESCRIPTION

    Monitor for Active Directory replication traffic coming from a machine that is not a domain controller.

    PRODUCT: StealthDEFEND

    APPROACH #2

    Restrict Domain Permission Changes

    DESCRIPTION

    Monitor and optionally block the ability to change permissions to the Domain. By restricting users adding permissions for replication, it will reduce the ability to create persistence where non-administrator accounts can perform the DCSync attack.

    PRODUCT: StealthDEFEND

    DOWNLOAD OUR COMPLETE ATTACK-TO-PRODUCT MAPPING GUIDE

    Mitigate DCSync Attack

    To mitigate the DCSync attack it is necessary to restrict domain replication permissions. By default, Domain Admins and other privileged users will have these rights but they can access account information several other ways. It is important to limit other users from having these sensitive permissions.

    APPROACH

    Secure Active Directory Permissions

    DESCRIPTION

    Review the following Active Directory permission applied at the domain level:

    • Replicating Directory Changes
    • Replicating Directory Changes All

    These rights provide attackers the ability to obtain the password hashes using the DCSync technique. Regularly review and remove unnecessary permissions.

    PRODUCT: StealthAUDIT

    Seeing is believing.

    RESOURCES

    © 2021 Stealthbits Technologies, Inc.