Didier Stevens

Sunday 8 October 2017

Quickpost: Mimikatz DCSync Detection

Filed under: Hacking,Networking,Quickpost — Didier Stevens @ 22:40

Benjamin Delpy/@gentilkiwi’s Brucon workshop on Mimikatz inspired me to resume my work on detecting DCSync usage inside networks.

Here are 2 Suricata rules to detect Active Directory replication traffic between a domain controller and a domain member like a workstation (e.g. not a domain controller):

alert tcp !$DC_SERVERS any -> $DC_SERVERS any (msg:"Mimikatz DRSUAPI"; flow:established,to_server; content:"|05 00 0b|"; depth:3; content:"|35 42 51 e3 06 4b d1 11 ab 04 00 c0 4f c2 dc d2|"; depth:100; flowbits:set,drsuapi; flowbits:noalert; reference:url,blog.didierstevens.com; classtype:policy-violation; sid:1000001; rev:1;)
alert tcp !$DC_SERVERS any -> $DC_SERVERS any (msg:"Mimikatz DRSUAPI DsGetNCChanges Request"; flow:established,to_server; flowbits:isset,drsuapi; content:"|05 00 00|"; depth:3; content:"|03 00|"; offset:22; depth:2; reference:url,blog.didierstevens.com; classtype:policy-violation; sid:1000002; rev:1;)

Variable DC_SERVERS should be set to the IP addresses of the domain controllers.

The first rule will set a flowbit (drsuapi) when DCE/RPC traffic is detected to bind to the directory replication interface (DRSUAPI).

The second rule will detect a DCE/RPC DsGetNCChanges request if the flowbit drsuapi is set.

These rules were tested in a test environment with normal traffic between a workstation and a domain controller, and with Mimikatz DCSync traffic. They were not tested in a production network.

Quickpost info


  1. […] Quickpost: Mimikatz DCSync Detection […]

    Pingback by Overview of Content Published In October | Didier Stevens — Wednesday 1 November 2017 @ 0:00

  2. Noticed some issues with these rules when testing DCSync in a live enterprise environment – lots of false positives. Not sure if your actual rule was different when you tested, but there’s a syntax issue with the second rule missing the semicolon after “offset:22″. Once this is corrected it eliminated the false positives, but also has a zero hit rate against true positives. This was then corrected by changing the content match from |00 03| to |03 00| – which appears to be the Opnum for DsGetNCChanges. So the corrected 2nd rule might be:

    alert tcp !$DC_SERVERS any -> $DC_SERVERS any (msg:”Mimikatz DRSUAPI DsGetNCChanges Request”; flow:established,to_server; flowbits:isset,drsuapi; content:”|05 00 00|”; depth:3; content:”|03 00|”; offset:22; depth:2; reference:url,blog.didierstevens.com; classtype:policy-violation; sid:1000002; rev:2;)

    Have had excellent results in the preliminary testing of this modified rule. Look forward to your thoughts and appreciate your work in documenting this.

    Comment by Drew Graybeal — Wednesday 29 August 2018 @ 21:19

  3. Hi, thanks a bunch for the rule! There’s a typo in the second rule at “offset:22 depth:2;”, a semi-colon is missing after 22. Cheers

    Comment by nico — Tuesday 8 June 2021 @ 11:09

  4. Thank you

    Comment by Didier Stevens — Tuesday 8 June 2021 @ 11:32

  5. Hi again 🙂 I believe the second rule should read *content:”|03 00|”* instead of *content:”|00 03|”* (for opnum 3: GetNCChanges, https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/b63730ac-614c-431c-9501-28d6aca91894)

    Comment by nico — Wednesday 23 June 2021 @ 6:39

  6. Didier did you see Nico’s comment?

    Comment by Steve Stonebraker — Thursday 1 July 2021 @ 16:00

  7. Yes, I did, but I’m just back from holiday, and am catching up.

    Comment by Didier Stevens — Thursday 1 July 2021 @ 22:23

  8. Thanks a lot for your comment Drew, there are indeed bugs in the rule. I’ll fix them.

    Comment by Didier Stevens — Wednesday 28 July 2021 @ 20:49

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.