DCsync Attack
Overview
Attack uses account with Replicating Directory Changes All and Replicating Directory Changes privileges with The Directory Replication Service (DRS) Remote Protocol to simulate the behavior of a domain controller (DC) and retrieve password data via domain replication.
The attacker can conduct a Golden Ticket attack after it gets the KRBTGT hash.
Netwrix Blog - What Is DCSync Attack?
Privileged Accounts
Members of the Administrators, Domain Admins, Enterprise Admins and Domain Controllers groups have the required privileges by default, and
it is possible for any user to be granted these privileges.
In addition, some applications — such as Azure Active Directory Connect — have legitimate need for replication permissions so their service accounts can therefore also be targeted.
Tools
Detection/Response
Monitor replication activities between a domain controller and a machine that is not a domain controller.
Provides blocking policies that can prevent an account or workstation from executing additional replication
Related HackTheBox machines
Last updated