krbtgt
keys used legitimately for tickets creation, but also for tickets forging by attackers. The consequences of this attack are similar to an NTDS.dit dump and parsing but the practical aspect differ. A DCSync is not a simple copy & parse of the NTDS.dit file, it's a DsGetNCChanges
operation transported in an RPC request to the DRSUAPI (Directory Replication Service API) to replicate data (including credentials) from a domain controller.DS-Replication-Get-Changes
and DS-Replication-Get-Changes-All
). Members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups have these privileges by default. In some cases, over-privileged accounts can be abused to grant controlled objects the right to DCSync.lsadump::dcsync
to operate a DCSync and recover the krbtgt
keys for a golden ticket attack for example. For this attack to work, the following mimikatz command should run in an elevated context (i.e. through runas with plaintext password, pass-the-hash or pass-the-ticket).CIFS/domaincontroller
SPN when using Kerberos tickets) while Mimikatz relies on LDAP before doing the DCSync (hence requiring a LDAP/domaincontroller
SPN when using Kerberos tickets)