Detecting DCSync and DCShadow Network Traffic
In order to interact with a real domain controller, Mimikatz can spoof a Windows domain controller, and read information from or write information to active directory.
Mimikatz's DCSync command is used to read information: typically, it is used to dump credentials from active directory. And the DCShadow command is used to write information: for example, modify the primary group of an account to a group with higher privileges.
The use of these Mimikatz commands results in active directory replication network traffic between the compromised machine and domain controllers.
In this webinar, we will show you what this network traffic looks like, and how you can detect it. IDS rules to detect DCSync and DCShadow network traffic will be developed. Finally, more generic detection rules will also be covered.
Relevant Government Agencies
Other Federal Agencies, Federal Government, State & Local Government
Event Type
Webcast
This event has no exhibitor/sponsor opportunities
When
Fri, Nov 5, 2021, 10:30am
ET
Cost
Complimentary: $ 0.00
Website
Click here to visit event website
Organizer
SANS Institute