stealthbits.com
Open in
urlscan Pro
72.52.228.51
Public Scan
Submitted URL: https://blog.stealthbits.com/extracting-user-password-data-with-mimikatz-dcsync/
Effective URL: https://stealthbits.com/blog/extracting-user-password-data-with-mimikatz-dcsync/
Submission Tags: falconsandbox
Submission: On February 03 via api from US — Scanned from DE
Effective URL: https://stealthbits.com/blog/extracting-user-password-data-with-mimikatz-dcsync/
Submission Tags: falconsandbox
Submission: On February 03 via api from US — Scanned from DE
Form analysis
6 forms found in the DOMGET https://stealthbits.com
<form id="search-652" action="https://stealthbits.com" method="get" role="search" class="uk-search uk-search-default"><span uk-search-icon="" class="uk-icon uk-search-icon"><svg width="20" height="20" viewBox="0 0 20 20"
xmlns="http://www.w3.org/2000/svg">
<circle fill="none" stroke="#000" stroke-width="1.1" cx="9" cy="9" r="7"></circle>
<path fill="none" stroke="#000" stroke-width="1.1" d="M14,14 L18,18 L14,14 Z"></path>
</svg></span><input name="s" placeholder="Search" required="" type="search" class="uk-search-input"></form>
GET https://stealthbits.com
<form id="search-854" action="https://stealthbits.com" method="get" role="search" class="uk-search uk-search-large"><input name="s" placeholder="Search" required="" type="search" class="uk-search-input uk-text-center" autofocus=""></form>
POST /blog/extracting-user-password-data-with-mimikatz-dcsync/#es_form_f0-n1
<form action="/blog/extracting-user-password-data-with-mimikatz-dcsync/#es_form_f0-n1" method="post" class="es_subscription_form es_shortcode_form" id="es_subscription_form_61fb27c839aa4" data-source="ig-es">
<div class="es-field-wrap"><strong><label>Name<br><input type="text" name="esfpx_name" class="ig_es_form_field_name" placeholder="" value="" data-gaconnector-tracked="true"></label></strong></div>
<div class="es-field-wrap"><strong><label>Email*<br><input class="es_required_field es_txt_email ig_es_form_field_email" type="email" name="esfpx_email" value="" placeholder="" required="required" data-gaconnector-tracked="true"></label></strong>
</div><strong><input type="hidden" name="esfpx_lists[]" value="41115714b122" data-gaconnector-tracked="true"><input type="hidden" name="esfpx_form_id" value="0" data-gaconnector-tracked="true"><input type="hidden" name="es" value="subscribe"
data-gaconnector-tracked="true">
<input type="hidden" name="esfpx_es_form_identifier" value="f0-n1" data-gaconnector-tracked="true">
<input type="hidden" name="esfpx_es_email_page" value="4186" data-gaconnector-tracked="true">
<input type="hidden" name="esfpx_es_email_page_url" value="https://stealthbits.com/blog/extracting-user-password-data-with-mimikatz-dcsync/" data-gaconnector-tracked="true">
<input type="hidden" name="esfpx_status" value="Unconfirmed" data-gaconnector-tracked="true">
<input type="hidden" name="esfpx_es-subscribe" id="es-subscribe-61fb27c839aa4" value="43e847ee73" data-gaconnector-tracked="true">
<label style="position:absolute;top:-99999px;left:-99999px;z-index:-99;"><input type="email" name="esfpx_es_hp_email" class="es_required_field" tabindex="-1" autocomplete="-1" value="" data-gaconnector-tracked="true"></label><input type="submit"
name="submit" class="es_subscription_form_submit es_submit_button es_textbox_button" id="es_subscription_form_submit_61fb27c839aa4" value="Subscribe" data-gaconnector-tracked="true"><span class="es_spinner_image" id="spinner-image"><img
alt="Loading" data-src="https://stealthbits.com/wp-content/plugins/email-subscribers/lite/public/images/spinner.gif" class="lazyload"
src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></span></strong><noscript><strong><img alt="Loading" data-src="https://stealthbits.com/wp-content/plugins/email-subscribers/lite/public/images/spinner.gif"
class="lazyload" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><noscript><img src="https://stealthbits.com/wp-content/plugins/email-subscribers/lite/public/images/spinner.gif" alt="Loading"></noscript><span
class="es_subscription_message " id="es_subscription_message_61fb27c839aa4"></span></strong></noscript>
</form>
POST https://stealthbits.com/wp-comments-post.php
<form action="https://stealthbits.com/wp-comments-post.php" method="post" id="commentform" class="uk-form-stacked comment-form" novalidate="">
<p class="comment-notes">Your email address will not be published. Required fields are marked <span class="required">*</span></p>
<p class="comment-form-comment"><label class="uk-form-label" for="comment">Comment</label><textarea autocomplete="new-password" class="uk-textarea" id="comment" name="d6e16b7d03" rows="8" required="" aria-required="true"></textarea><textarea
id="a3e2b13d9e8d4d41cf736621c029ba11" aria-hidden="true" name="comment" autocomplete="new-password"
style="padding:0 !important;clip:rect(1px, 1px, 1px, 1px) !important;position:absolute !important;white-space:nowrap !important;height:1px !important;width:1px !important;overflow:hidden !important;" tabindex="-1"></textarea>
<script data-noptimize="" type="text/javascript">
document.getElementById("comment").setAttribute("id", "a3e2b13d9e8d4d41cf736621c029ba11");
document.getElementById("d6e16b7d03").setAttribute("id", "comment");
</script>
</p>
<p class="comment-form-author"><label class="uk-form-label" for="author">Name <span class="required">*</span></label><input class="uk-input" id="author" name="author" type="text" value="" size="30" required="" aria-required="true"
data-gaconnector-tracked="true"></p>
<p class="comment-form-email"><label class="uk-form-label" for="email">Email <span class="required">*</span></label><input class="uk-input" id="email" name="email" type="email" value="" size="30" required="" aria-required="true"
data-gaconnector-tracked="true"></p>
<p class="comment-form-url"><label class="uk-form-label" for="url">Website</label><input class="uk-input" id="url" name="url" type="url" value="" size="30"></p>
<p class="comment-form-cookies-consent"><label class="uk-form-label"><input class="uk-checkbox" id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes" data-gaconnector-tracked="true"> Save my name, email, and
website in this browser for the next time I comment.</label></p>
<p class="form-submit"><button id="submit" class="uk-button uk-button-primary submit" name="submit">Post Comment</button> <input type="hidden" name="comment_post_ID" value="4186" id="comment_post_ID" data-gaconnector-tracked="true">
<input type="hidden" name="comment_parent" id="comment_parent" value="0" data-gaconnector-tracked="true">
</p>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1643849671827" data-gaconnector-tracked="true">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>
POST /blog/extracting-user-password-data-with-mimikatz-dcsync/#es_form_f2-n2
<form action="/blog/extracting-user-password-data-with-mimikatz-dcsync/#es_form_f2-n2" method="post" class="es_subscription_form es_shortcode_form" id="es_subscription_form_61fb27c84040c" data-source="ig-es">
<div class="es-field-wrap"><label><br><input type="text" name="esfpx_name" class="ig_es_form_field_name" placeholder="Name" value="" data-gaconnector-tracked="true"></label></div>
<div class="es-field-wrap"><label><input class="es_required_field es_txt_email ig_es_form_field_email" type="email" name="esfpx_email" value="" placeholder="Email" required="required" data-gaconnector-tracked="true"></label></div><input
type="hidden" name="esfpx_lists[]" value="41115714b122" data-gaconnector-tracked="true"><input type="hidden" name="esfpx_form_id" value="2" data-gaconnector-tracked="true"><input type="hidden" name="es" value="subscribe"
data-gaconnector-tracked="true">
<input type="hidden" name="esfpx_es_form_identifier" value="f2-n2" data-gaconnector-tracked="true">
<input type="hidden" name="esfpx_es_email_page" value="4186" data-gaconnector-tracked="true">
<input type="hidden" name="esfpx_es_email_page_url" value="https://stealthbits.com/blog/extracting-user-password-data-with-mimikatz-dcsync/" data-gaconnector-tracked="true">
<input type="hidden" name="esfpx_status" value="Unconfirmed" data-gaconnector-tracked="true">
<input type="hidden" name="esfpx_es-subscribe" id="es-subscribe-61fb27c84040c" value="43e847ee73" data-gaconnector-tracked="true">
<label style="position:absolute;top:-99999px;left:-99999px;z-index:-99;"><input type="email" name="esfpx_es_hp_email" class="es_required_field" tabindex="-1" autocomplete="-1" value="" data-gaconnector-tracked="true"></label><label
style="display: inline"><input type="checkbox" name="es_gdpr_consent" value="true" required="required" data-gaconnector-tracked="true"> <label class="gdpr-label"> You have read and agreed to our
<a href="/privacy-policy/" target="_blank">Privacy Policy</a></label></label><br><input type="submit" name="submit" class="es_subscription_form_submit es_submit_button es_textbox_button" id="es_subscription_form_submit_61fb27c84040c"
value="Submit" data-gaconnector-tracked="true"><span class="es_spinner_image" id="spinner-image"><img alt="Loading" data-src="https://stealthbits.com/wp-content/plugins/email-subscribers/lite/public/images/spinner.gif" class="lazyload"
src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><noscript><img alt="Loading" data-src="https://stealthbits.com/wp-content/plugins/email-subscribers/lite/public/images/spinner.gif" class="lazyload"
src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><noscript><img src="https://stealthbits.com/wp-content/plugins/email-subscribers/lite/public/images/spinner.gif" alt="Loading"></noscript><span
class="es_subscription_message " id="es_subscription_message_61fb27c84040c"></span></noscript></span>
</form>
Name: loginform — POST
<form name="loginform" id="modalloginform" action="" method="post" class="login-form">
<input type="hidden" name="permalink" value="https://stealthbits.com/blog/extracting-user-password-data-with-mimikatz-dcsync/" data-gaconnector-tracked="true">
<input type="hidden" name="__phash" id="__phash" value="JUNo_Bv-mnXLxw6Tt6V5f3Q5_iggcoQf9qopb1Aw8tKOBT5Gy4_Vr8GsUZ4uKItvaR2Qi2HTnEcGeHmSej8TJQ" data-gaconnector-tracked="true">
<div class="form-group " id="row_log">
<div class="input-wrapper text-input-wrapper" id="row_log_wrapper"><label form="log">Login ID</label><input type="text" name="wpdm_login[log]" id="user_login" required="required" placeholder="Username or Email" class="form-control"
data-gaconnector-tracked="true"></div>
</div>
<div class="form-group " id="row_password">
<div class="input-wrapper password-input-wrapper" id="row_password_wrapper"><label form="password">Password</label><input type="password" name="wpdm_login[pwd]" id="password" required="required" placeholder="Enter Password" class="form-control"
data-gaconnector-tracked="true"></div>
</div>
<div class="row login-form-meta-text text-muted mb-3" style="font-size: 10px">
<div class="col-5"><label><input class="wpdm-checkbox" name="rememberme" type="checkbox" id="rememberme" value="forever" data-gaconnector-tracked="true">Remember Me</label></div>
<div class="col-7 text-right"><label><a class="color-blue" href="https://stealthbits.com/wp-login.php?action=lostpassword">Forgot Password?</a> </label></div>
</div>
<input type="hidden" name="redirect_to" value="/blog/extracting-user-password-data-with-mimikatz-dcsync/" data-gaconnector-tracked="true">
<div class="row">
<div class="col-lg-12">
<button type="submit" name="wp-submit" id="wpdmloginmodal-submit" class="btn btn-block btn-primary btn-lg"><i class="fas fa-user-shield"></i> Login</button>
</div>
</div>
</form>
Text Content
* Solutions * Solution * Active Directory Security Solutions * Data Access Governance * Data Privacy * Privileged Access Management * View All * --- * Government * --- * Regulation * CCPA * EU GDPR * HIPAA * ITAR * NIST * NYCRR 500 * PCI * SOX * --- * Project * AD Security * Data Privacy * Privileged Access Management * Identity and Access Management * Security Information Event Management * IT Service Management * Database Security Solution * Password Policy Enforcement * --- * CREDENTIAL AND DATA SECURITY ASSESSMENT Uncover critical credential and data risks today with Stealthbits!GET YOUR ASSESSMENT * Products * StealthAUDIT Reporting & Governance * --- * Stealthbits App Catalog Browse our catalog of no-charge resource connectors, report packs, and more. * --- * StealthDEFEND Threat Detection & Response * --- * SbPAM Privileged Access Management * --- * StealthINTERCEPT Policy Enforcement * --- * StealthRECOVER Roll Back & Recovery * Support * Support * Customer Support * Professional Services * Currently Supported Versions * --- * Get in Touch With Us * Support Portal * Phone: +1.888.638.9749 * Contact Us * --- * WATCH ON-DEMAND TRAINING VIDEOS WATCH NOW * Partners * Partners * Partner Portal * Register a Deal * Become a Partner * Channel Partners * Technology Partners * --- * Technology Integration * Identity and Access Management * IT Service Management * Security Information Event Management * --- * Already a partner? Visit the partner portal or register a deal below!PARTNER PORTAL * REGISTER A DEAL * Company * Overview * Why Stealthbits * Leadership * Careers * News * Stealthbits in the News * Media Coverage * News Releases * Awards and Reviews * --- * Webinar: What are the Gaps in LAPS? WATCH NOW * Resources * From Our Library * Analyst Reports * Buyer's Guides * Case Studies * Executive Briefs * Solution Briefs * Videos * White Papers * View More * --- * Stealthbits App Catalog Browse our catalog of no-charge resource connectors, report packs, and more. * --- * Engage * Blog * Newsroom * Upcoming Webinars * Webinars on Demand * Events * Request a Demo * --- * Extras * Awards & Reviews * Customers * On-demand Product Webinars * Credential and Data Security Assessment (CDSA) * Stealthbits’ ePHI Security Assessment * Attack Catalog * --- * Portals * Remote Workforce Security Center * Privacy Portal * Login * Free Trial Introducing StealthAUDIT 11.5! Complete your cloud security puzzle. LEARN MORE * Solutions * Solution * Active Directory Security Solutions * Data Access Governance * Data Privacy * Privileged Access Management * View All * --- * Government * --- * Regulation * CCPA * EU GDPR * HIPAA * ITAR * NIST * NYCRR 500 * PCI * SOX * --- * Project * AD Security * Data Privacy * Privileged Access Management * Identity and Access Management * Security Information Event Management * IT Service Management * Database Security Solution * Password Policy Enforcement * --- * CREDENTIAL AND DATA SECURITY ASSESSMENT Uncover critical credential and data risks today with Stealthbits!GET YOUR ASSESSMENT * Products * StealthAUDIT Reporting & Governance * --- * Stealthbits App Catalog Browse our catalog of no-charge resource connectors, report packs, and more. * --- * StealthDEFEND Threat Detection & Response * --- * SbPAM Privileged Access Management * --- * StealthINTERCEPT Policy Enforcement * --- * StealthRECOVER Roll Back & Recovery * Support * Support * Customer Support * Professional Services * Currently Supported Versions * --- * Get in Touch With Us * Support Portal * Phone: +1.888.638.9749 * Contact Us * --- * WATCH ON-DEMAND TRAINING VIDEOS WATCH NOW * Partners * Partners * Partner Portal * Register a Deal * Become a Partner * Channel Partners * Technology Partners * --- * Technology Integration * Identity and Access Management * IT Service Management * Security Information Event Management * --- * Already a partner? Visit the partner portal or register a deal below!PARTNER PORTAL * REGISTER A DEAL * Company * Overview * Why Stealthbits * Leadership * Careers * News * Stealthbits in the News * Media Coverage * News Releases * Awards and Reviews * --- * Webinar: What are the Gaps in LAPS? WATCH NOW * Resources * From Our Library * Analyst Reports * Buyer's Guides * Case Studies * Executive Briefs * Solution Briefs * Videos * White Papers * View More * --- * Stealthbits App Catalog Browse our catalog of no-charge resource connectors, report packs, and more. * --- * Engage * Blog * Newsroom * Upcoming Webinars * Webinars on Demand * Events * Request a Demo * --- * Extras * Awards & Reviews * Customers * On-demand Product Webinars * Credential and Data Security Assessment (CDSA) * Stealthbits’ ePHI Security Assessment * Attack Catalog * --- * Portals * Remote Workforce Security Center * Privacy Portal * Login * Free Trial Stealthbits EXTRACTING USER PASSWORD DATA WITH MIMIKATZ DCSYNC Blog >Extracting User Password Data with Mimikatz DCSync July 11, 2017 | Jeff Warren | Active Directory Attacks | 12 Comments INTRODUCTION: EXTRACTING USER PASSWORD DATA WITH MIMIKATZ DCSYNC Mimikatz provides a variety of ways to extract and manipulate credentials, but probably one of the most useful and scary ways is using the DCSync command. This attack simulates the behavior of a domain controller and asks other domain controllers to replicate information using the Directory Replication Service Remote Protocol (MS-DRSR). Basically, it lets you pretend to be a domain controller and ask for user password data. Most importantly, this can be done without running any code on a domain controller as opposed to the other ways Mimikatz will extract password data. This can be used by attackers to get any account’s NTLM hash including the KRBTGT account, which enables attackers to create Golden Tickets. The trickiest part of this attack is that it takes advantage of a valid and necessary function of Active Directory, so it cannot be turned off or disabled. WHO CAN PERFORM A DCSYNC ATTACK? Performing a DCSync is quite simple. The only pre-requisite to worry about is that you have an account with rights to perform domain replication. This is controlled by the Replicating Changes permissions set on the domain. Having the Replicating Changes All and Replicating Directory Changes permission will allow you to perform this attack. By default, this is limited to the Domain Admins, Enterprise Admins, Administrators, and Domain Controllers groups. If you would like to quickly find any users who can perform the DCSync attack outside of these default permissions the following PowerShell script will help. This will enumerate all of the domain-level permissions for any domain and find all permissions granted these rights with a RID above 1000, which will exclude all default permissions. #Get all permissions in the domain, filtered to the two critical replication permissions represented by their GUIDs Import-Module ActiveDirectory cd 'AD:DC=JEFFLAB,DC=local' $AllReplACLs = (Get-AcL).Access | Where-Object {$_.ObjectType -eq '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' -or $_.ObjectType -eq '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'} #Filter this list to RIDs above 1000 which will exclude well-known Administrator groups foreach ($ACL in $AllReplACLs) { $user = New-Object System.Security.Principal.NTAccount($ACL.IdentityReference) $SID = $user.Translate([System.Security.Principal.SecurityIdentifier]) $RID = $SID.ToString().Split("-")[7] if([int]$RID -gt 1000) { Write-Host "Permission to Sync AD granted to:" $ACL.IdentityReference } } Running this will output an entry for each permission given to a user or group who probably shouldn’t be there: PERFORMING DCSYNC If you do have the necessary rights, the rest is quite simple. Simply execute the following command: Lsadump::dcsync /domain:[YOUR DOMAIN] /user:[ANY USER WHOS PASSWORD DETAILS YOU WANT] Here is that command to retrieve the KRBTGT hash. Another cool feature is that if the password is stored with reversible encryption, you can get a clear text password returned: PROTECTIONS FROM DCSYNC The best protection is controlling the domain permissions outlined earlier and making only the necessary accounts have the ability to replicate information from your domain. Inevitably, some users will have this right, and they should be protected to avoid their password details being stored where attackers may compromise them. Start by running the script provided above against all domains to be sure you don’t have any improper users with rights to perform this attack. How Attackers Are Stealing Your Credentials with Mimikatz: DON’T MISS A POST! SUBSCRIBE TO THE INSIDER THREAT SECURITY BLOG HERE: Name Email* Jeff Warren Jeff Warren is Stealthbits’ General Manager of Products. Jeff has held multiple roles within the Technical Product Management group since joining the organization in 2010, initially building Stealthbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining Stealthbits – now part of Netwrix, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development. With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering Stealthbits’ high quality, innovative solutions. Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware. * Previous * Next RELATED POSTS * Understanding Lateral Movement and Privilege Escalation * SERVER (UN)TRUST ACCOUNT * Making Internal Reconnaissance Harder Using NetCease and SAMRi10 * Setup, Configuration, and Task Execution with Covenant: The Complete Guide * Protecting Against DCShadow * What is a DCShadow Attack and How to Defend Against it * Next-Gen Open Source C2 Frameworks in a Post PSEmpire World: Covenant * Detecting Persistence through Active Directory Extended Rights * Lateral Movement Through Pass-the-Cache * Resource-Based Constrained Delegation Abuse FEATURED ASSET A PRACTITIONER'S GUIDE TO ACTIVE DIRECTORY Learn why Active Directory security should be a priority for your organization and ways to mitigate against a data breach with this free white paper! Read more COMMENTS (12) * Achwak February 15, 2018 at 4:56 pm Reply Good evening sir, I thank you so much for this article. I just have a small question. I couldn’t find the window allowing me to activate “Replicating Changes All” and “Replicating Directory Changes”. Could you please tell me how to do it? Best regards. * Jeff Warren February 16, 2018 at 11:15 am Reply Those are special permissions that can be applied at the domain level. To see them, open up Active Directory Users & Computers and go the properties of one of your top level domains, from there go to the security tab and you should be able to see those options in the list of permissions. This will not appear on OUs or other objects, so be sure to look at the domain level (jefflab.local in my case). * Kedar February 22, 2018 at 4:13 pm Reply What are the special permissions * Jeff Warren February 26, 2018 at 8:48 am Reply The special permissions I was referring to are the ‘Replicating Directory Changes’ and ‘Replicating Directory Changes All’. These are ‘special’ in that they cannot be applied on any object and just at the domain level, and are required for DCSync to work. That makes this particular attack interesting because a user could be granted these permissions separate from any membership in privileged groups and still be able to perform the DCSync attack. * Somu August 7, 2020 at 4:27 pm Reply Hi Jeff, Nice article, after reading I ma having following queries, 1. Does an account require both Replicating Directory Changes and Replicating Directory Changes All permission to perform a DCSync attack? 2. In ‘Replicating Directory Changes All’ permission only accounts password hash sync will happen right, in this case does an account can perform DCSync with Replication Directory Changes All permission alone? 3. In SharePoint case, the SharePoint service account will have replication directory changes permission alone. Since both changes and changes all using same MS DRSR protocol, So SharePoint account also will consider as perpetrator account? 4. Is there a way to differentiate accounts that performing Replicating Directory Changes, Replicating Directory Changes All and Replication Directly changes filtered set? Eagerly awaiting for your response. Thanks Somu * Joe Dibley August 10, 2020 at 8:20 am Reply Hi Somu, The response to your questions are as follows: 1. Yes an account does require both the Replicating Directory Changes and the Replicating Directory Changes all to perform the DCsync attack. 2. Only having the “replicate directory changes all” will not allow an account to perform the DCSync attack on its own because it specifically only controls access to the secret data inside active directory for replication where as the replicating directory changes permission allows the account to trigger the replication with a given NC. 3. With sharepoint, I believe as you have stated that it only has the Replicating Directory Changes permission so whilst it can perform replication of account data it does not have access to the actual secrets (password hashes etc) of the accounts. This should be somewhat safe to exclude from threat detection tooling but I would only do so if you are also strictly monitoring for ACL changes on the domain to make sure it doesn’t get granted the replicating directory changes all permission as well. 4. It is possible to differentiate between the different permissions used by enabling the Directory Service Access auditing and then looking for Event ID 4662 to the monitor for properties which contain the following GUIDs: DS-Replication-Get-Changes -> 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 DS-Replication-Get-Changes-All -> 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 DS-Replication-Get-Changes-In-Filtered-Set -> 89e95b76-444d-4c62-991a-0facbeda640c Other Control Access Rights can be found here (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb) A thing to note with the standard logs for event ID 4662 is that it is only possible to tell if replication was performed and not what. To see the “what” was replicated it is required to enable the diagnostic logging which will be extremely verbose and is not recommended for long-term production use. Cheers, Joe (Stealthbits) * Grzegorz February 23, 2018 at 11:24 am Reply Hi Jeff! Good article. Please check DCShadow. It is also interesting. * Jeff Warren February 26, 2018 at 8:46 am Reply Thanks, I have had some time to learn about DCShadow recently and you’re right, it is interesting (also scary). I am writing a series about that as well which you can find here. * wh1t3rbt July 4, 2018 at 4:43 am Reply Please may you provide the script * Jeff Warren July 9, 2018 at 9:09 am Reply Script added! * Felipe April 2, 2019 at 2:32 pm Reply Hi, What permissions does the SYSTEM user have to have? * Jeff Warren April 3, 2019 at 3:32 pm Reply This attack doesn’t need to run under the SYSTEM account, that is something that DCShadow requires. In any case, whether you run this as a user or computer that account will need the replication permissions listed above in the blog post granted on the domain object. LEAVE A REPLY CANCEL REPLY Your email address will not be published. Required fields are marked * Comment Name * Email * Website Save my name, email, and website in this browser for the next time I comment. Post Comment Δ SUBSCRIBE DON’T MISS A POST. SUBSCRIBE TO THE BLOG! You have read and agreed to our Privacy Policy 200 Central Ave Hawthorne, NJ 07506 201-447-9300 SOLUTIONS Data Access Governance Active Directory Security Privileged Access Management Database Security Solutions COMPLIANCE EU GDPR HIPAA ITAR NYCRR 500 PCI SOX NIST CCPA PRODUCT StealthAUDIT Management Platform StealthDEFEND Stealthbits Privileged Activity Manager StealthINTERCEPT StealthRECOVER MODULES StealthAUDIT Active Directory Permissions Analyzer StealthINTERCEPT Enterprise Password Enforcer Stealthbits Activity Monitor PARTNERS Technology Partners Channel Partners Become a Partner Register an Opportunity Partner Portal COMPANY About Us Management Team Careers Awards and Reviews Blog News Media Coverage Support Contact Us Request a Demo © 2022 Stealthbits Technologies, Inc. Privacy Policy Login ID Password Remember Me Forgot Password? Login [ Placeholder content for popup link ] WordPress Download Manager - Best Download Management Plugin Close Start a Free Stealthbits Trial! No risk. No obligation. FREE TRIAL × May we use cookies to track your activities? We take your privacy very seriously. Please see our privacy policy for details and any questions. Yes No