Hacker explains: in the shadow of the domain controller - DCSync & DCShadow

01:36:16Yves force11.04.2019

Hacker explains: in the shadow of the domain controller - DCSync & DCShadow
This webinar will show you the tools and ways to simulate a domain controller for attacks and how to manipulate the domain using the popular DCShadow and DCSync attacks. Finally, it shows how the featured attacks can be detected and averted.

Why are these attacks?

DCShadow is a method for manipulating Active Directory (AD) data, including objects and schemas, by registering or reusing an inactive registry and simulating the behavior of a Domain Controller (DC). After registration, a malicious DC can inject changes into the AD infrastructure or locally replicate domain objects, including credentials.

At the second attack called DCSync It is possible by means of the Directory Replication Service (DRS) to access password hashes from the NTDS.DIT file in which the domain users are managed. This technique can be performed with the rights of a domain administrator from any system in the domain. Thus, an attacker does not have to log on to the DC itself to access this sensitive data.