A new wave of attacks attributed to the Qilin ransomware group has highlighted a sophisticated method of privilege escalation, taking advantage of Active Directory’s replication protocols. This approach allows attackers to extract domain credentials, including sensitive KRBTGT hashes and NTLM password hashes, across the domain.
Uncovering the DCSync Technique
Security expert Maurice Fielenbach unearthed this method through detailed analysis of Windows Security logs. He discovered that the Microsoft Entra Connect synchronization account, usually an MSOL_* account, was engaging in regular directory replication every two minutes. This predictable activity was noted at times like 01:19, 01:21, and 01:23.
However, at 01:25, a notable anomaly appeared. Hundreds of Event ID 4662 entries were recorded, but this time under the built-in Administrator account, which typically does not perform such bulk replication tasks.
Understanding Event ID 4662
Event ID 4662 is critical in tracking operations against Active Directory objects, assuming directory service access auditing is enabled. In this case, malicious activities were marked by specific properties:
- ObjectServer: DS (Directory Service)
- AccessMask: 0x100 (Control Access)
- Properties with GUID 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes)
- Properties with GUID 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes-All)
The second GUID is particularly significant as it offers access to secret domain data, such as password hashes, mirroring the rights used by domain controllers during standard replication processes.
Detecting DCSync Attacks
The DCSync method, extensively used by tools like Mimikatz, mimics a domain controller to solicit password information via the Directory Replication Service Remote Protocol (MS-DRSR), without directly accessing a domain controller’s disk.
Although a single Event ID 4662 with these GUIDs isn’t inherently harmful, the change in identity rather than volume was a red flag. The activity originated from an account outside the typical group of accounts authorized for replication.
Security analysts recommend that identity monitoring should be prioritized over mere event counting, given the variability in event counts based on request scope and audit configuration.
To bolster defenses, organizations should audit permissions for Replicating Directory Changes, enable Directory Service Access auditing on domain controllers, and incorporate 4662 events into SIEM systems to flag suspicious accounts.
As Qilin ransomware continues to evolve with a focus on credential theft, detection of DCSync attacks should be a fundamental security measure rather than an advanced one.
