Contact Us

The Platform

Solutions

Customers

Partners

Blog

More

Start the Democaret-right

Contact Uscaret-right
caret-left Back

Reveal(x)

The industry's only network detection
and
response platform that delivers the
360-degree
visibility needed to
uncover the cybertruth.

Deployment Model

SaaS-Based Solution >

On-Premises Solution >

Security

Network Detection and Response >

Intrusion Detection System >

Forensics >

Performance

Network Performance Monitoring >

Forensics >
caret-left Back

Solutions

Learn More

Use Cases

Explore By Industry Vertical
caret-left Back

Customers

Customer resources, training,
case studies, and more.

Learn More

Customer Community

Cybersecurity Services

ExtraHop Support
caret-left Back

Partners

Partner resources and information about our channel and technology partners.

Learn More

Work With Us! Become a Partner

Integrations and Automations

Partners
caret-left Back

Blog

Learn More
caret-left Back

About Us

Events & Newsroom

Careers

Resources

caret-left Back

About Us

See what sets ExtraHop apart, from our innovative approach to our corporate culture.

Learn More

Contact Us

caret-left Back

Events & Newsroom

Get the latest news and information.

Learn More

Sign Up for a Live Attack Simulation

Upcoming Webinars and Events

caret-left Back

Careers

We believe in what we're doing. Are you ready to join us?

Learn More

Careers at ExtraHop

Search Openings

Connect on LinkedIn

caret-left Back

Resources

Find white papers, reports, datasheets, and more by exploring our full resource archive.

All Resources

Customer Stories & Case Studies

Ransomware Attacks in 2021: A Retrospective

Cyberattack Glossary

Network Protocols Glossary

Documentation

Firmware

Training Videos

DCSync Attack: Definition, Examples, and Prevention

Risk Factors

Likelihood

Complexity

Business Impact

DCSync Attack

What Are DCSync Attacks?

A DCSync attack uses commands in Microsoft Directory Replication Service Remote Protocol (MS-DRSR) to pretend to be a domain controller (DC) in order to get user credentials from another DC.

These attacks leverage what is a necessary function in Active Directory, which complicates attempts to prevent them. Large-scale networks require many DCs to function, and each of those DCs need to have up-to-date information. That requires a function allowing one DC to update another DC on any changes, like updated credential information.

Attackers subvert that necessary function by pretending to be a DC and using the DSGetNCChanges function to request password hashes. A common attack uses this method to get the KRBTGT hash, which brings them one step closer to getting a Kerberos "golden ticket."

DCSync requires a compromised user account with domain replication privileges. Once that is established, one can find a domain controller, tell it to replicate, and get password hashes from its subsequent response.

DCSync is a capability of the Mimikatz tool.

Examples of DCSync Attacks

Golden Ticket Attack

An attacker uses DCSync to get the KRBTGT hash, which allows them to control the Key Distribution Service. They can then create Ticket Granting Tickets (TGTs) for every account in the domain.

Account Manipulation

Credential access is a jumping off point for many attacks. Account manipulation encompasses many techniques (like DCSync) to get and maintain access to credentials.

Living off the Land (LotL) Attacks

DCSync can be one component of LotL attacks, which use legitimate processes on the network to achieve their aims, making detection more difficult.

Protection Against DCSync Attacks

One method is to monitor Windows event logs for Event ID 4662. Logs are an important part of security, but using them to monitor across the IT environment has significant challenges.

Monitoring traffic moving across the network is an effective method for detecting DCSync attacks. Network detection and response has the added benefit of being able to detect DCSync attacks even if the attacker has disabled logging. An attacker can use attack toolsets such as Mimikatz or 'Invoke-Phant0m' to clear event logs or stop threads from collecting logs, making an added line of defense necessary.

To make DCSync attacks more difficult, be sure to carefully control the following privileges in AD:

  • Replicating Directory Changes
  • Replicating Directory Changes All
  • Replicating Directory Changes In Filtered Set

Detection of this attack can be enhanced using decryption. This attack relies on a number of different Microsoft protocols including Kerberos. Decryption of these protocols allows early detection of abnormal behavior and forged Kerberos tickets. For this reason, it's critical that security tools have decryption capabilities for all commonly encrypted Microsoft protocols such as Kerberos, MS-RPC, SMBv3, and more.

DCSync History

It used to be the case that, in order to run Mimikatz on a DC, attackers needed to first get admin access to that DC. The addition of DCSync bypasses that step, making Active Directory security more challenging.

DCSync was added as a feature of the Mimikatz tool in 2015 and was created by Benjamin Delpy and Vincent Le Toux.

The attack is often the next step after vulnerabilities, like CVE-2020-1472 Zerologon, provide attackers with the prerequisite privileges.

Domain Controllers

DCs have broad read and write privileges that can make them appealing targets for bad actors. That makes securing DCs of great importance and means security teams should be particularly concerned about vulnerabilities like PrintNightmare that can compromise DCs.

Related Reading

Learn More About Detecting DCSync

Learn More