DCSync

Introduction

A DCSync attack is a post-exploitation technique where an attacker impersonates a Domain Controller and abuses replication permissions in Active Directory to replicate account password data from the target Domain Controller

This attack can be performed from a compromised user or account which has the required permssions:

  • Replicating Directory Changes

  • Replicating Directory Changes All

Setup Environment

To perform this attack, we need to assign the required permissions to the user jstone (an account is not a Domain Controller). This is illustrated in the image below:

Setting replication permission for jstone account

Attack path

I will use the attack machine (Kali) to perform a DCSync attack against the domain homelab.local. The tool I will use is secretsdump.py from impacket, which is pre-installed in Kali.

First, we need to configure our default gateway to the IP address of the Active Directory domain.

sudo nano /etc/resolv.conf

Next, run the command below to perform the DCSync attack. The result will display the password hash values of the accounts in the domain.

impacket-secretsdump <domain_name>/<username:password>@<target_domain_controller>>

As we can see, the result returns the account password hash values, including those of high-value accounts like krbtgt and Administrator. With the exposure of the krbtgt password hash, we can use it to forge a Golden Ticket in the future.

Detection

To detect DCSync, we can look for Event ID 4662, which is logged during Domain Controller replication. We should observe any abnormal replication requests from a user who is not a Domain Controller (in this case, jstone). Additionally, in Event ID 4662, the property value should include either 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 ,1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 or 19195a5b-6da0-11d0-afd3-00c04fd930c9.

Event 4662

Wazuh Rule

In local_rules.xml we will add this rule. Once the rule is saved, it will be triggered each time a DCSync attack occurs.

<rule id="110009" level="0">
    <if_sid>60103</if_sid>
    <field name="win.system.eventID">^4662$</field>
    <field name="win.eventdata.properties" type="pcre2">{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}|{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}|{19195a5b-6da0-11d0-afd3-00c04fd930c9}</field>
    <field name="win.eventdata.SubjectUserName" type="pcre2">\$$</field>
    <options>no_full_log</options>
    <description>Ignore all Directory Service Access that is originated from a machine account containing $</description>
  </rule>

References

LogoHow to detect Active Directory attacks with Wazuh | WazuhWazuh
PreviousKerberoastingNextGolden Ticket

Last updated