Discover and read the best of Twitter Threads about #dsinternals

Most recents (1)

🧵 (1/) Bypassing IDS DCSync Signature for #secretsdump

I’ve been asked lately to bypass a private IDS rule for #impacket’s DCSync operation and I’ve immediately remembered this Charlie’s question ⬇️
🧵 (2/) The rule triggers when a bunch of SMB requests are followed by all this DRSUAPI stuff. Unlike #mimikatz or #DSInternals DCSync, the sequence of SMB+DRSUAPI traffic is unique for secretsdump[.]py attack, thus it becomes an IOC and can be fingerprinted ⬇️ Image
🧵 (3/) The second series of the SMB requests is related to the RemoteOperations.connectSamr() call in the NTDSHashes class which is only needed to verify that’s out target is actually a DC, so it can be excluded from the attack with no consequences ⬇️ ImageImage
Read 6 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!