Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.


Tuesday, October 16, 2018

Mimikatz DCSync Detection

Folks,

I trust this finds you doing well. I know so many of you are waiting for me to answer the question - What's the World's Most Important Active Directory Security Capability? but before I did so, I just wanted to address something very simple and vital.


Mimikatz DCSync Detection ?! ;-)

If you're into Cyber Security, unless you live on another planet, by now you know that at the very foundation of cyber security worldwide lies Microsoft Active Directory, you know that little thing within which lie not just everyone's accounts and passwords, or for that matter the computer accounts of every single domain-joined machine, or for that matter every single domain security group that is used to protect the entirety of an organization's IT assets, but also the proverbial "Keys to the Kingdom!" etc. etc.

By the way, this isn't some secret - this is CYBER SECURITY 101 that millions of IT personnel, IT managers, CISOs and just about everyone in IT ought to know by know, considering that Active Directory has been around for almost two decades now!

Alright, fast forward...

A few years ago, a remarkably intelligent and talented Benjamin Delpy introduced a new feature in his hacking tool Mimikatz, and that feature was called Mimikatz DCSync. In essence, if you can run Mimikatz DCSync against an Active Directory, you can instantly obtain access to the credentials of literally everyone who has a domain account in that domain - we're talking the accounts of literally everyone, from Domain Admins to the CISO and from the Enterprise Admin to the CEO, etc. etc.

Now, technically, DCSync leverages the ability of a security principal to be able to request and replicate Active Directory content (including secrets i.e. password hashes) out of Active Directory. It turns out anyone who has sufficient effective permissions to be able to replicate secrets out of Active Directory can run Mimikatz DCSync, and within minutes be proverbial God!

So, what happens? In time, Mimikatz DCSync finds global fame and glory, it becomes a must have tool in the arsenal of these so called kiddish Red Teams and Blue Teams, and in addition today there's no dearth of cyber security experts who will want to blog about Mimikatz DCSync sharing with the world, its usage, how to exploit it etc. etc. and in particular how to detect it!

Here are a few random blogs a Google search seemed to suggest -
  1. Mimikatz DCSync Usage, Exploitation, and Detection
  2. Mimikatz and DCSync and ExtraSids, Oh My
  3. Modern Active Directory Attack Scenarios and How to Detect Them
  4. DCSYNC

Now, please pardon me for expressing serious concern here because if the best an organization can do is DETECT the use of Mimikatz DCSync, that's sort of like, well let me paint you a picture:



A Billion $ Organization or for that matter a Government Agency having to rely on detection of Mimikatz DCSync is akin to ....


... lets assume a SNIPER takes a shot at a target from point blank range, and the best those protecting the target can do is try and detect the bullet in flight milliseconds before it hits its target. Well, I shouldn't have to complete the sentence for you.


Here's the Trillion $ point - if an organization is having to rely on the DETECTION of the use of Mimikatz DCSync, its too late.

From the Domain Admin to the CISO, its time to go home and find another job, because it would already have been too late. You're done. Once a malicious perpetrator has gained administrative access in even a single Active Directory domain, those who know anything about Active Directory Security will tell you that you've lost the entire Active Directory forest. Oh, and if you think you could easily recover that forest from a trusted forest, you've likely been getting some amateur advice ;-)


Mimikatz DCSync Mitigation

I cannot stress this enough - this is not a risk that can be addressed by detection. It needs to be mitigated and today, every single organization that operates on Microsoft Active Directory can easily mitigate the risk posed by Mimikatz DCSync. I've already spent enough time educating the world about this, so I'm not going to waste one more precious minute on this.

For every org that wants to learn how to do so - How to Lockdown Active Directory to Thwart the Use of Mimikatz DCSync


Incidentally, the astute mind will observe, that whether it be mitigating the risk posed by Mimikatz DCSync or securing access to just about anything and everything in Active Directory, all organizations worldwide (including likely the $800 Billion Microsoft) require is 1 single, fundamental cyber security capability - The Most Important Active Directory Security Capability in the World.





A Request to All Experts Out There

To all cyber security experts and cyber security companies (including Microsoft) out there, I have a request - if you truly know Active Directory Security, lets see you go beyond helping the world learning how to use, exploit and detect Mimikatz DC Sync...


...lets see you teach the world how to actually mitigate this risk, perhaps with an example, for when you get there, you'll likely realize that not a single object in any Active Directory domain worldwide can be adequately secured without possessing this.


Alright that's it, I'm not wasting one more minute of my precious time
on this little distraction of a thing called Mimikatz DCSync.


After all this dry stuff, perhaps I should end on a humorous note - Time to Ignite an Intellectual Spark at Microsoft Ignite 2018 ;-)

Best wishes,
Sanjay.

No comments:

Post a Comment