How to detect, prevent, and mitigate DCSync attacks
DCSync is a command within a Mimikatz that an attacker can leverage to simulate the behavior of Domain Controller (DC). More simply, it allows the attacker to pretend to be a DC and ask other DC’s for user password data.
DCSync attacks are difficult to prevent. The DCSync attack asks other domain controllers to replicate information using the Directory Replication Service Remote Protocol (MS-DRSR). Because MS-DRSR is a valid and necessary function of Active Directory (AD), it cannot be turned off or disabled. Additionally, while Domain Replication capabilities are controlled by the Replicating Changes permissions set on the domain and are limited to the Domain Admins, Enterprise Admins, Administrators, and DC groups by default, it is possible for any account or group to be granted these rights.
Stealthbits’ products provide a multitude of ways to detect, prevent, and mitigate a DCSync attack.
Detection of DCSync is possible by looking for replication requests against domain controllers that are not originating from other domain controllers.
APPROACH
Domain Controller Impersonation
DESCRIPTION
Monitor for Active Directory replication traffic coming from a machine that is not a domain controller.
PRODUCT: StealthDEFEND
Prevention of DCSync is possible by blocking replication requests against domain controllers that are not originating from other domain controllers.
APPROACH #1
Block Domain Controller Impersonation
DESCRIPTION
Monitor for Active Directory replication traffic coming from a machine that is not a domain controller.
PRODUCT: StealthDEFEND
APPROACH #2
Restrict Domain Permission Changes
DESCRIPTION
Monitor and optionally block the ability to change permissions to the Domain. By restricting users adding permissions for replication, it will reduce the ability to create persistence where non-administrator accounts can perform the DCSync attack.
PRODUCT: StealthDEFEND
To mitigate the DCSync attack it is necessary to restrict domain replication permissions. By default, Domain Admins and other privileged users will have these rights but they can access account information several other ways. It is important to limit other users from having these sensitive permissions.
APPROACH
Secure Active Directory Permissions
DESCRIPTION
Review the following Active Directory permission applied at the domain level:
These rights provide attackers the ability to obtain the password hashes using the DCSync technique. Regularly review and remove unnecessary permissions.
PRODUCT: StealthAUDIT
© 2022 Stealthbits Technologies, Inc.