L1151-Blue - DCSync Network Analysis
Use Wireshark to inspect network traffic that occurred during DCSync attack operations.
Identify DCSync operations occurring on non-Domain Controller systems.
Using Wireshark, identify IOC's of possible mis-use of the DCSync process that typically would sync Active Directory partitions between Domain Controllers.
Wireshark DCSync Network Analysis
We needed to catch this DCSync before it happened. So, let's go ahead and look at some packets that were captured during the compromise event.
RDP: Member Server
Username: labs\itadmin
Password: APTClass2021!
Use Wireshark on this system and download the packets for this lab.
Once the packet capture is downloaded, paste the following string as a filter in Wireshark. This will give us back the conversations between the domain controller (where the capture was taken) and the HELK / attack rig.
ip.src == 10.10.98.20 or ip.dst == 10.10.98.20
 |
|---|
Once the packets are filtered to just 10.10.98.10 and 10.10.98.20, let's review the TCP streams. As shown below, click on Analyze > Follow > TCP Stream.
 |
|---|
An additional window pops, and we can review the streams captured.
 |
|---|
Finally, sort the filtered capture by protocol. DRSUAPI is leveraged to replicate the user credentials via GetNCChanges which uses the Directory Replication Service (DRS) Remote Protocol.
 |
|---|
Quiz time!!!!
Layer 1 - Physical Layer - 802.3 Ethernet Frame
- What is the physical layer on a wireless network?
Layer 2 - MAC addresses (source/destination)
- How does ARP work? What are layer 2 boundaries?
Layer 3 - IP addresses (source/destination)
- What happens in DHCP relay if the packets are followed?
Layer 4 - TCP ports in this case (source/destination)
- Extended ACLs operate here. How many lines in an ACL to limit guests to Internet traffic outbound only on TCP/53, TCP/80 and TCP/443?
- Does an untrusted host need to be able to ping their gateway to surf the Internet? Why or why not?
References: https://adsecurity.org/?p=1729
You have completed this lab.
