Detecting DCSync and DCShadow Network Traffic

In order to interact with a real domain controller, Mimikatz can spoof a Windows domain controller, and read information from or write information to active directory.

Mimikatz's DCSync command is used to read information: typically, it is used to dump credentials from active directory. And the DCShadow command is used to write information: for example, modify the primary group of an account to a group with higher privileges. The use of these Mimikatz commands results in active directory replication network traffic between the compromised machine and domain controllers.

In this webinar we will show you what this network traffic looks like and how you can detect it, how to develop IDS rules to detect DCSync and DCShadow network traffic, and in closing, more generic detection rules will also be covered.

Read the companion article with repository rules on NVISO's blog entry, Detecting DCSync and DCShadow Network Traffic.