A primer on DCSync attack and detection
Updated: Feb 2
Hello All,
Active directory is a backbone of almost all the organizations. It helps the IT team to manage the systems, users, policies etc, centrally across the complete network. Since it is integral part of the organization, it open's multiple opportunity for the attackers to leverage the features of active directory and abuse them for malicious intent. We will look at one such feature known as Active Directory Replication in this post.
In this post we will look at few approach that we can use to detect the DCSync attack and gain understand about the attack. DCSync attack and detection is already explained by Sean Metcalf & Will Schroeder in their blog post.
About Active Directory Replication
Domain Controllers (DC) are the pillars of Active Directory (AD) environment. Organizations often have multiple Domain Controllers for it's Active Directory as a backup or they have different Domain Controllers for each location so that the authentication and other policies can be made available locally on the site location. Now as there are multiple Domain Controllers in the organization it is important that every Domain Controller is aware of every changes made in the environment. This changes are sync with each Domain Controller via Microsoft Directory Replication Service Remote Protocol (MS-DRSR). AD uses several counters and tables to ensure that every DC has the most current information for each attribute and object and to prevent any endless replication loops. AD uses naming contexts (NCs), also known as directory partitions, to segment replication. Every forest has a minimum of three NCs: the domain NC, the configuration NC, and the schema NC. AD also supports special NCs, often known as application partitions or non-domain naming contexts (NDNCs). DNS uses NDNCs (e.g., DomainDnsZones, ForestDnsZones). Each NC or NDNC replicates independently of one another.
About DCSync Attack
DCSync is a technique used to extract credentials from the Domain Controllers. In this we mimic a Domain Controller and leverage the (MS-DRSR) protocol and request for replication using GetNCChanges function. In response to this the Domain Controller will return the replication data that includes password hashes. This technique was added in Mimikatz tool in August 2015 by Benjamin Delpy and Vincent Le Toux.
To perform DCSync attack we need the following rights on the Domain Object:
1) Replicating Directory Changes (DS-Replication-Get-Changes)
2) Replicating Directory Changes All (DS-Replication-Get-Changes-All)
3) Replicating Directory Changes In Filtered Set (DS-Replication-Get-Changes-In-Filtered-Set) (this one isn’t always needed but we can add it just in case)
Generally members of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts by default have the above rights.
DCSync Attack Scenario
We will look at 2 Scenarios in this blog post:
Note: There can be many more scenario that you can think of to perform DCSync attack.
1) We assume that we have User account hash that is the member of Domain Admins group
2) We assume that we have User credentials that has WriteDACL rights on the Domain Object
1) First Scenario
So let's assume that we have already compromised the user account that is the member of Domain Admins group. In our Lab we have a user named storagesvc that is a member of the Domain Admins group as we can see in the below screenshot.
So we can now perform the OverPass-The-Hash attack using Invoke-Mimikatz PowerShell script and start a new PowerShell console with the privileges of the storagesvc user.
In the New PowerShell console we can load the Invoke-Mimikatz PowerShell script and perform the DCSync attack.
As we can see in the above screenshot we were able to perform DCSync attack successfully and retrieve the KRBTGT account hash.
2) Second Scenario
So let's assume that we have already found the clear text credential of the user that has WriteDACL privileges on the Domain Object. In our Lab we have a user named sharepointmaster that has WriteDACL rights on the Domain Object as we can see in the below screenshot.
We will leverage the PowerView script to grant the DCSync rights to another user(adversary) that we own.
Note:- We can also grant DCSync rights to sharepointmaster user.
We will enumerate and confirm if adversary user has DCSync rights.