Detecting DCSync and DCShadow Network Traffic

In order to interact with a real domain controller, Mimikatz can spoof a Windows domain controller, and read information from or write information to active directory.

Mimikatz's DCSync command is used to read information: typically, it is used to dump credentials from active directory. And the DCShadow command is used to write information: for example, modify the primary group of an account to a group with higher privileges.

The use of these Mimikatz commands results in active directory replication network traffic between the compromised machine and domain controllers.

In this webinar, we will show you what this network traffic looks like, and how you can detect it. IDS rules to detect DCSync and DCShadow network traffic will be developed. Finally, more generic detection rules will also be covered.


Webcast_Purple-Detecting_DCSync3.jpg