Threat (Privilege Escalation)
DCSync is a command within Mimikatz that an attacker can leverage to simulate the behavior of Domain Controller (DC). More simply, it allows the attacker to pretend to be a Domain Controller and ask other DC’s for user password data.
How the DCSync Attack Works
The following is a summarization of how the attack works:
- An attacker compromises an account with the rights to perform domain replication (e.g. Domain Admins, Enterprise Admins, Administrators, and Domain Controllers groups by default)
- Once the proper privileges are obtained, the attacker leverages the Mimikatz DCSync command to retrieve account password hashes from Active Directory
- Once obtained, the attacker can create forged Kerberos tickets to access any resource connected to Active Directory
Important Notes about DCSync:
- The DCSync attack simulates the behavior of a Domain Controller and asks other Domain Controllers to replicate information using the Directory Replication Service Remote Protocol (MS-DRSR). Because MS-DRSR is a valid and necessary function of Active Directory, it cannot be turned off or disabled.
- While Domain Replication capabilities are controlled by the Replicating Changes permissions set on the domain (specifically Replicating Changes All and Replicating Directory Changes) and are limited to the Domain Admins, Enterprise Admins, Administrators, and Domain Controllers groups by default, it is possible for any account or group to be granted these rights.
- If any account passwords are stored with reversible encryption, an option is available in Mimikatz to return the password in clear text
Watch this brief video of a DCSync attack in action:
Potential Solutions and Mitigating Controls for DCSync
The best protection from a DCSync attack is to control the domain permissions responsible for allowing accounts to replicate changes. Inevitably, some users will have this right, and they should be protected.
To avoid privileged password details being stored where attackers may compromise them, a tiered logon protocol should be used to prevent privileged accounts from logging on to servers and workstations where their password hashes can be dumped from memory and used to obtain the permissions needed to perform a DCSync attack.
Related Attacks & Concepts: