Last updated
Was this helpful?
Last updated
Was this helpful?
DCSync is a technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller. This attack can lead to the compromise of major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also for by attackers. The consequences of this attack are similar to an but the practical aspect differ. A DCSync is not a simple copy & parse of the NTDS.dit file, it's a DsGetNCChanges operation transported in an RPC request to the DRSUAPI (Directory Replication Service API) to replicate data (including credentials) from a domain controller.
This attack requires domain admin privileges to succeed (more specifically, it needs the following extended privileges: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All). Members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups have these privileges by default. In some cases, over-privileged accounts can be abused to .
This attack can also be operated with a , but only if the target domain controller is vulnerable to since the DRSUAPI always requires signing.
On Windows, (C) can be used to operate a DCSync and recover the krbtgt keys for a for example. For this attack to work, the following mimikatz command should run in an elevated context (i.e. through runas with plaintext password, or ).
MITRE ATT&CK™ Sub-technique T1003.006
.ntds
LM and NT password hashes
.cleartext
Passwords stored using reversible encryption
.kerberos
Kerberos keys (DES, AES128 and AES256)
.sam
.secrets
Domain controller's
Domain controller's
