L1151-Blue - DCSync Network Analysis

Lab Contents

Lab Overview

Use Wireshark to inspect network traffic that occurred during DCSync attack operations.

Lab Objectives

Identify DCSync operations occurring on non-Domain Controller systems.

Lab Overview

Using Wireshark, identify IOC's of possible mis-use of the DCSync process that typically would sync Active Directory partitions between Domain Controllers.

Step One

Wireshark DCSync Network Analysis

We needed to catch this DCSync before it happened. So, let's go ahead and look at some packets that were captured during the compromise event.

RDP: Member Server
Username: labs\itadmin
Password: APTClass2021!

Use Wireshark on this system and download the packets for this lab.

Once the packet capture is downloaded, paste the following string as a filter in Wireshark. This will give us back the conversations between the domain controller (where the capture was taken) and the HELK / attack rig.

Hunt Search Term

ip.src == 10.10.98.20 or ip.dst == 10.10.98.20

Once the packets are filtered to just 10.10.98.10 and 10.10.98.20, let's review the TCP streams. As shown below, click on Analyze > Follow > TCP Stream.

An additional window pops, and we can review the streams captured.

Finally, sort the filtered capture by protocol. DRSUAPI is leveraged to replicate the user credentials via GetNCChanges which uses the Directory Replication Service (DRS) Remote Protocol.

Step Two

Quiz time!!!!

Layer 1 - Physical Layer - 802.3 Ethernet Frame

Layer 2 - MAC addresses (source/destination)

Layer 3 - IP addresses (source/destination)

Layer 4 - TCP ports in this case (source/destination)

References: https://adsecurity.org/?p=1729

You have completed this lab.

Lab Complete