Security Stuff
  • About
  • HackTheBox
    • Windows
      • Forest
      • Escape
      • Timelapse
      • Support
    • Linux
      • TwoMillion
      • Soccer
      • Pollution
      • Pilgrimage
      • Sandworm
  • Windows
    • Authentication
      • Overview
      • Logon
      • Kerberos
      • Credential
    • Active Directory
      • Domain Service
        • LDAP
        • AD Objects
      • Key Distribution Center
      • Certificate Service
    • Windows Protocols
      • SMB
    • Windows Server
      • MSSQL
    • Execution
      • Windows APIs
      • Remote Access
        • WinRM
    • Credential Access
      • Kerberos Ticket
        • Kerberoasting Attack
        • Golden/Silver Ticket Attack
        • AS-REP Roasting Attack
      • OS Credential Dumping
        • DCsync Attack
      • Certified Pre-Owned
  • Linux
    • Management
      • Package
    • Process
      • Namespace
      • Terminal
  • Web
    • Authentication
      • SAML
      • OAuth
    • Enumeration
  • Defense
    • Windows
      • Windows Event Logs
  • Development
    • Programming Language
    • Database
      • MySQL
    • Virtualization
      • Container
    • Cryptography
      • GnuPG
Powered by GitBook
On this page
  • Overview
  • Privileged Accounts
  • Tools
  • Detection/Response
  • Related HackTheBox machines
  1. Windows
  2. Credential Access
  3. OS Credential Dumping

DCsync Attack

PreviousOS Credential DumpingNextCertified Pre-Owned

Last updated 1 year ago

Overview

Attack uses account with Replicating Directory Changes All and Replicating Directory Changes privileges with The Directory Replication Service (DRS) Remote Protocol to simulate the behavior of a domain controller (DC) and retrieve password data via .

The attacker can conduct a Golden Ticket attack after it gets the hash.

Privileged Accounts

  • Members of the Administrators, Domain Admins, Enterprise Admins and Domain Controllers groups have the required privileges by default, and

  • it is possible for any user to be granted these privileges.

  • In addition, some applications — such as Azure Active Directory Connect — have legitimate need for replication permissions so their service accounts can therefore also be targeted.

Tools

Detection/Response

Monitor replication activities between a domain controller and a machine that is not a domain controller.

Provides blocking policies that can prevent an account or workstation from executing additional replication

Related HackTheBox machines

Forest
Netwrix Blog - What Is DCSync Attack?
DCSync Attack Using MimikatzNetwrix
Logo
domain replication
KRBTGT