DCSync Attacks: Abusing Replication Rights for Stealthy Domain Dominance
1 min read
Summary
A new attack technique has been discovered called DCSync, which abuses legitimate Active Directory replication mechanisms.
This allows an attacker to simulate the behaviour of a Domain Controller and request password hashes from other DCs.
This is accomplished by leveraging the Directory Replication Service Remote Protocol, which is used by DCs for replicating directory data.
This stealthy method of obtaining credentials provides a pathway for full domain compromise and enables the attacker to achieve complete lateral dominance within a network.
It is recommended that organisations review the security of their Active Directory services to ensure they are not susceptible to this type of attack.
Additional vigilance is advised, and steps should be taken to protect sensitive information and assets. Mimikatz, a popular password-dumping tool, has adapted its mechanisms to exploit MS-DRSR through two specific RPC calls: IDL_DRSCrackNames and IDL_DRSGetNCChanges.
This allows it to retrieve credential material, providing attackers with privileges like replicating directory changes and replicating directory changes all.
Ensuring these privileges are restricted to trusted hosts and users is essential to mitigate the risk of a DCSync attack.