DCSYNCMonitor: Monitors for DCSYNC and DCSHADOW attacks
DCSYNCMonitor
Description
This tool is an application/service that can be deployed on Domain controllers to alert on Domain Controller Synchronization attempts. When an attempt is detected, the tool will write an event to the Windows Event Log. These events can be correlated in a SIEM. In addition, this tool can take a list of valid DC IP’s and, in this configuration, only alert when a DC SYNC attempt comes from a non-DC ip. This tool is meant to provide Blue Teams with a way to combat DC SYNC and DC SHADOW attacks without commercial tools like Microsoft ATA or fancy IDS/IPS.
DC SYNC Warning events occur when there is no list of valid DC IPs provided, or when a DC SYNC occurs from a valid DC IP:
DC SYNC Error events occur when a list of valid DC IPs are provided and a DC SYNC occurs from any other IP address:
Demo
Copyright (c) 2018 shellster
Source: https://github.com/shellster/
