[Detect] AD Attacks - DCSync

Reveal(x) has the capability to detect DCSync attacks on the wire as they happen. A DCSync attack is a capability of the Mimikatz tool that allows a workstation to pretend to be a Domain Controller and to try to access Active Directory password hashes for user accounts via the Domain Replication mechanism between Primary and Secondary domain controllers. In the attack, the Mimikatz tool pretends to be a backup domain controller and utilises the Directory Replication Service Remote Protocol with the DSGetNCChanges function to request password hashes from the Primary DC.

The following Mimikatz command will trigger a DCSync detection within Reveal(x):

mimikatz “lsadump::dcsync /domain:DOMAIN.LOCAL.LAN /user:krbtgt”

where you replace DOMAIN.LOCAL.LAN with the actual FQDN of the domain you are interested in.

Reveal(x) discovers DCSync attacks with our Predictive Modelling machine learning function - we look in the MSRPC protocol for the DSGetNCChanges method which should only appear between the known domain controllers on the network.