Protecting Against Active Directory DCSync Attacks - Attivo Networks
Attivo Networks Blogs

Protecting Against Active Directory DCSync Attacks

Author: Vikram Navali , Senior Technical Product Manager –Once attackers compromise a Windows endpoint, they can find credentials stored in the form of a hash or a clear-text password. There are several handy techniques available to dump credentials from a compromised Windows endpoint. For example, an attacker can obtain credentials from LSASS Memory, the SAM database, Cached Domain Credentials, or by abusing Replicating Directory permissions. They can use these obtained credentials to perform lateral movement and gain a greater level of access.

Active Directory (AD) accounts with “Replicating Directory Changes” permissions allow attackers to retrieve credentials using the DCSync attack. These accounts with explicitly granted permissions can pose a severe risk to the entire organization’s AD domain. They allow attackers to launch other attacks, such as Golden Ticket and Pass the Ticket (PTT), to gain unrestricted access to any resources on the AD domain.

The Risk Associated with Replication Permissions

Replication in Active Directory ensures that every domain controller synchronizes data changes within the same datacenter or across sites. Accounts within a domain require “Replicate Directory Changes” permission to discover objects in AD. The replication permission also allows one to query for changes within a domain.

An attacker can compromise standard, non-privileged user accounts with “Replicate Directory Changes” permission and performs malicious replication to steal credentials. User accounts with any one of the following rights delegated at the domain level can successfully retrieve password data using a DCSync attack.

  • Replicating Directory Changes
  • Replicating Directory Changes All
  • Replicating Directory Changes In Filtered Set
  • Full Control

What is a DCSync Attack, and How Does it Work?

The DCSync attack is a well-known credential dumping technique that enables attackers to obtain sensitive information from the AD database. The DCSync attack allows attackers to simulate the replication process from a remote Domain Controller (DC) and request credentials from another DC. The following high-level sequence of steps explains how a DCSync attack works, enabling attackers to take complete control of an organization’s AD infrastructure.

  1. Compromise a standard or non-privileged user account with “Replicate Directory Changes” permission.
  2. Discover a DC in the specified domain name.
  3. Request the DC to replicate sensitive information such as password hashes using the Microsoft Directory Replication Service Remote (MS-DRSR) protocol.
  4. Obtain NTLM hashes of potentially useful accounts such as KRBTGT and Administrators.
  5. Create a Golden Ticket and runs Pass the Ticket (PTT) attacks to move laterally.

DCSync functionality is part of the “lsadump” module in Mimikatz, an Open-Source application for credential dumping. Attackers use the Mimikatz DCSync function and the appropriate domain replication rights to pull NTLM hashes from AD, including the current and historical hashes of potentially useful accounts. Attackers can use the following Mimikatz commands to extract hashes for KRBTGT and Administrators.

  • lsadump::dcsync /user:attivo1\krbtgt
  • lsadump::dcsync /user:attivo1\Administrator

The credentials section above shows the current NTLM hashes as well as the password history. Using the collected hashes, attackers then create a Golden Ticket and potentially run a Pass the Ticket attack to gain unrestricted access to the complete AD domain.

Detecting DCSync Attacks & Mitigation Strategies

The Attivo Networks ADAssessor solution provides unprecedented visibility and detects unusual accounts set with “Replicate Directory Changes” permissions. Organizations can also deploy the Attivo ADSecure solution that detects attackers attempting to enumerate Active Directory to perform a DCSync attack. The solution returns fake AD objects to attacker queries, misdirecting them away from production systems and pointing them towards decoys for engagement.As a mitigation strategy, security administrators can manage the access control lists (ACLs) for “Replicating Directory Changes” and other permissions associated with DC replication.

Security administrators can remove unusual accounts set with replication permissions or deny the permissions for the specified user accounts.

Security administrators can also look for the members of the Administrators and Domain Controller groups that have Replicate Directory Changes permissions by default, as shown below, and enforce the least privileges to reduce the risk of attackers escalating them.

Conclusion

Replication is a necessary critical function to ensure information or data between DCs remains updated and consistent. Organizations should deploy AD protection solutions to prevent attackers from exploiting user or service accounts with “Replicate Directory Changes” permissions. They can achieve this goal by continuously monitoring these permissions and taking remedial actions when exposures occur on unauthorized AD accounts.

For more information, please visit https://attivonetworks.com/product/adassessor/ and https://attivonetworks.com/product/adsecure/

References

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free

FAST AND EASY

Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial

GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY

  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise

RSS

Leave a Comment

Your email address will not be published. Required fields are marked *

2 + seventeen =

Ready to find out what’s lurking in your network?

Scroll to Top