DCsync Attack

Overview

Attack uses account with Replicating Directory Changes All and Replicating Directory Changes privileges with The Directory Replication Service (DRS) Remote Protocol to simulate the behavior of a domain controller (DC) and retrieve password data via domain replication.

The attacker can conduct a Golden Ticket attack after it gets the KRBTGT hash.

Netwrix Blog - What Is DCSync Attack?

DCSync Attack Using MimikatzNetwrix

Privileged Accounts

Members of the Administrators, Domain Admins, Enterprise Admins and Domain Controllers groups have the required privileges by default, and
it is possible for any user to be granted these privileges.
In addition, some applications — such as Azure Active Directory Connect — have legitimate need for replication permissions so their service accounts can therefore also be targeted.

Tools

Detection/Response

Monitor replication activities between a domain controller and a machine that is not a domain controller.

Provides blocking policies that can prevent an account or workstation from executing additional replication

Forest

PreviousOS Credential Dumping NextCertified Pre-Owned

Last updated 1 year ago

Overview

Privileged Accounts

Tools

Detection/Response

Related HackTheBox machines