DCSync
Last updated
Last updated
The is used to synchronise and replicate Active Directory data between domain controllers. DCSync is a technique which leverages this protocol to extract username and credential data from a DC.
This requires which is usually only available to domain admins. The technique is included here for completeness, and it will be useful later on.
\
Beacon has a dedicated dcsync
command, which calls mimikatz lsadump::dcsync
in the background.
\
Here we have extracted the NTLM and AES keys for the krbtgt account using lamb (a domain admin).
\
OPSEC
Directory replication can be detected if Directory Service Access auditing is enabled, by searching for 4662 events where the identifying GUID is 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
(for DS-Replication-Get-Changes and DS-Replication-Get-Changes-All) or 89e95b76-444d-4c62-991a-0facbeda640c
(DS-Replication-Get-Changes-In-Filtered-Set).
Find these using the "Suspicious Directory Replication" saved search in Kibana.
\
\
Replication traffic usually only occurs between domain controllers but can also be seen via applications such as . Mature organisations should baseline typical DRS traffic to find suspicious outliers.