Netwrix StealthINTERCEPT provides blocking policies that can prevent an account or workstation from executing additional replication, which can slow down an attack and give responders more time to completely eliminate the threat. The standard playbook response of disabling the user account may not be enough, since by the time you spot the attack in progress, the attacker likely has a host of other resources and options available to them. To execute DCSync, an attacker needs elevated privileges, so the key to thwarting an attack is to immediately block privilege escalation. If the same user executes multiple DCSync attacks, this critical information will also be included. The solution provides a clear summary of the suspicious activity, as well as a visualization illustrating which user perpetrated the attack, the domain and user being targeted, and supporting evidence of the attack. Its primary detection method is finding patterns of behavior matching DCSync, including replication activity between a domain controller and a machine that is not a domain controller. It does not rely on event logs or network packet capture. Netwrix StealthDEFEND monitors all domain replication traffic for signs of DCSync. If you have n98-magerun2.phar installed, you can get a decrypted config value with something like: php bin/n98-magerun2.phar config:store:get -decrypt payment/webpay/keyid.
How Netwrix Solutions Can Help You Detect and Thwart DCSync Attacks Detection
0 kommentar(er)
