Guarding against DCSync attacks

Gaining access to domain admin credentials is part of the endgame in many sophisticated attacks where threat actors are trying to maintain persistence. One of the ways that adversaries accomplish this is through DCSync attacks.

What is a DCSync attack?

A DCSync attack is a method where threat actors run processes that behave like a domain controller and use the Directory Replication Service (DRS) remote protocol to replicate AD information. The attack enables them to steal password hashes from real domain controllers, which they can later crack.

Performing the attack requires the attacker to have already compromised a user with the proper “Replicating Directory Changes” privileges for the target domain. Usually, attackers seek out accounts that are granted the Replicating Directory Changes All privilege, as this allows replicating the passwords of any domain account.

These privileges are by default granted only to administrators and domain controller groups. However, if you use AzureADconnect to sync some of your accounts to your AzureAD tenant, you will find that the service account used to perform this sync has also been granted those precious rights. By making a DSGetNCChanges request, the attacker can replicate credentials from Active Directory.

A frequent target for this is the krbtgt account, which is used by AD to create Kerberos tickets. With the password hash of the krbtgt account, an attacker can then launch a Golden Ticket attack that will give them the ability to log in to any service as any user.

Threat actors can launch DCSync attacks using tools like Mimikatz or the Get-ADReplAccount cmdlet from DSInternals. These tools make this technique relatively simple for attackers once they have compromised an AD account with the necessary permissions.

Unfortunately, stopping DCSync attacks is not as easy. Like other techniques that take advantage of legitimate functionality—in this case, the DRS remote protocol—it is not practical to stop DCSync attacks by disabling the service being abused. Replication enables redundancy, which all organizations need. However, there are still steps organizations can take to prevent and detect DCSync attacks against their environment.

Protecting against DCSync attacks

Organizations can take several steps to reduce the likelihood that an intruder can execute DCSync attacks.

Step one is to implement basic security and hygiene practices for Active Directory. The attack requires the threat actor to have already compromised a domain administrator account or any other account that has been granted the DCsync permissions. As such, monitoring the permissions of your domain head is critical so that you are aware of which accounts or groups have been assigned the powerful DCSync permissions. You might find that you should revoke permissions for some users who had accidentally been granted them years ago.

Protecting your Active Directory has always been and will continue to be a multi-layered task, which goes beyond validating proper settings within AD. For starters, stopping attackers from getting that deep into the environment should be priority number one: That means patching the organization’s endpoints and defending against phishing—which remains one of the top attack vectors for enterprises.

The second focus for enterprises should be on preventing lateral movement when attackers breach the network. Organizations should control access according to the principle of least privilege. Using a tiering model—where no domain account would ever log onto systems not involved in managing AD itself—will clearly make it harder for adversaries to elevate their privileges. Access rights must be regularly reviewed to ensure users do not have privileges they do not need for their duties. Networks should also be appropriately segmented to fulfill regulatory compliance mandates as well.

As it relates specifically to AD, patch management and continuous monitoring are vital. DCSync attacks can be detected on the wire through inspection of DRS traffic. DSGetNCChanges requests that are routed outside of the DC network segments or that do not originate from those segments could be an indicator of suspicious activity.

In addition, you’ll want to continuously monitor the permissions on your domain head to avoid surprises when unprivileged users are accidentally granted the DCsSync permissions and would thus cause a new vulnerability for your AD infrastructure.

Prevent DCSync attacks from opening paths to your system

More than 20 years after its introduction, Active Directory remains one of the primary targets of cyber threat actors. DCSync attacks are a crafty way for attackers to maintain persistence by ensuring they obtain a broad level of access that is not trivial to remediate.

A DCSync attack is useful for more than just credential theft—it also can be the first step toward a Golden Ticket attack. However, with a mix of network and endpoint security, organizations can reduce the likelihood of a successful attack sliding under the radar.