Overview
DCSync attacks allow an attacker to simulate the behavior of a domain controller via MS-DRSR and obtain credentials from another domain controller. In this article I will give an overview of DCSync attacks, how to perform them, and how to remediate them.
How DCSync Attacks Work
In order to perform this attack you must first have access to an account with domain replication privileges, referred to as “Replicating Directory Changes” and “Replicating Directory Changes All” in Windows. By default these privileges are reserved for administrator level accounts but the permissions can be enabled for custom accounts as well. This attack utilizes the Directory Replication Service Remote Protocol (MS-DRSR) which is a critical and legitimate Active Directory service that cannot be disabled.
Performing a DCSync Attack
The first step in performing a DCSync attack is to get access to a user with DCSync privileges. Users with DCSync privileges can be enumerated with tools like Powerview and Bloodhound.
In this example we can see that this user has among other privileges, DCSync privileges in the domain. With access to this account all we need to do is run one command with a tool like mimikatz or impacket-secretsdump.
impacket-secretsdump <domain>/<user>:<password>@<ip>
As we can see this is a very serious issue, we could use these hashes to launch all sorts of different attacks like Golden Ticket and Pass-The-Hash.
Remediation
Since this attack abuses a service that cannot be disabled, remediation is a bit limited, but there are some things we can do.
- Be extremely careful with who you give DCSync privileges and make sure these accounts have robust passwords that cannot be easily cracked.
- Monitor windows event logs for event 4662, this will let you know if an unauthorized DCSync takes place and enable you to respond accordingly.