Detecting DCSync and DCShadow Network Traffic



In order to interact with a real domain controller, Mimikatz can spoof a Windows domain controller, and read information from or write information to active directory.

 

Mimikatz's DCSync command is used to read information: typically, it is used to dump credentials from active directory. And the DCShadow command is used to write information: for example, modify the primary group of an account to a group with higher privileges.

 

The use of these Mimikatz commands results in active directory replication network traffic between the compromised machine and domain controllers.

 

In this webinar, we will show you what this network traffic looks like, and how you can detect it. IDS rules to detect DCSync and DCShadow network traffic will be developed. Finally, more generic detection rules will also be covered.

Relevant Government Agencies

Other Federal Agencies, Federal Government, State & Local Government

Members who viewed this event also viewed:


Event Type
Webcast


This event has no exhibitor/sponsor opportunities


When
Fri, Nov 5, 2021, 10:30am ET


Cost
Complimentary:    $ 0.00


Website
Click here to visit event website


Organizer
SANS Institute


Contact Event Organizer



Return to search results