stealthbits.com
Open in
urlscan Pro
72.52.228.51
Public Scan
Submitted URL: https://blog.stealthbits.com/extracting-user-password-data-with-mimikatz-dcsync/
Effective URL: https://stealthbits.com/blog/extracting-user-password-data-with-mimikatz-dcsync/
Submission Tags: falconsandbox
Submission: On February 03 via api from US — Scanned from DE
Effective URL: https://stealthbits.com/blog/extracting-user-password-data-with-mimikatz-dcsync/
Submission Tags: falconsandbox
Submission: On February 03 via api from US — Scanned from DE
Form analysis 6 forms found in the DOM
GET https://stealthbits.com
<form id="search-652" action="https://stealthbits.com" method="get" role="search" class="uk-search uk-search-default"><span uk-search-icon="" class="uk-icon uk-search-icon"><svg width="20" height="20" viewBox="0 0 20 20"
xmlns="http://www.w3.org/2000/svg">
<circle fill="none" stroke="#000" stroke-width="1.1" cx="9" cy="9" r="7"></circle>
<path fill="none" stroke="#000" stroke-width="1.1" d="M14,14 L18,18 L14,14 Z"></path>
</svg></span><input name="s" placeholder="Search" required="" type="search" class="uk-search-input"></form>GET https://stealthbits.com
<form id="search-854" action="https://stealthbits.com" method="get" role="search" class="uk-search uk-search-large"><input name="s" placeholder="Search" required="" type="search" class="uk-search-input uk-text-center" autofocus=""></form>POST /blog/extracting-user-password-data-with-mimikatz-dcsync/#es_form_f0-n1
<form action="/blog/extracting-user-password-data-with-mimikatz-dcsync/#es_form_f0-n1" method="post" class="es_subscription_form es_shortcode_form" id="es_subscription_form_61fb27c839aa4" data-source="ig-es">
<div class="es-field-wrap"><strong><label>Name<br><input type="text" name="esfpx_name" class="ig_es_form_field_name" placeholder="" value="" data-gaconnector-tracked="true"></label></strong></div>
<div class="es-field-wrap"><strong><label>Email*<br><input class="es_required_field es_txt_email ig_es_form_field_email" type="email" name="esfpx_email" value="" placeholder="" required="required" data-gaconnector-tracked="true"></label></strong>
</div><strong><input type="hidden" name="esfpx_lists[]" value="41115714b122" data-gaconnector-tracked="true"><input type="hidden" name="esfpx_form_id" value="0" data-gaconnector-tracked="true"><input type="hidden" name="es" value="subscribe"
data-gaconnector-tracked="true">
<input type="hidden" name="esfpx_es_form_identifier" value="f0-n1" data-gaconnector-tracked="true">
<input type="hidden" name="esfpx_es_email_page" value="4186" data-gaconnector-tracked="true">
<input type="hidden" name="esfpx_es_email_page_url" value="https://stealthbits.com/blog/extracting-user-password-data-with-mimikatz-dcsync/" data-gaconnector-tracked="true">
<input type="hidden" name="esfpx_status" value="Unconfirmed" data-gaconnector-tracked="true">
<input type="hidden" name="esfpx_es-subscribe" id="es-subscribe-61fb27c839aa4" value="43e847ee73" data-gaconnector-tracked="true">
<label style="position:absolute;top:-99999px;left:-99999px;z-index:-99;"><input type="email" name="esfpx_es_hp_email" class="es_required_field" tabindex="-1" autocomplete="-1" value="" data-gaconnector-tracked="true"></label><input type="submit"
name="submit" class="es_subscription_form_submit es_submit_button es_textbox_button" id="es_subscription_form_submit_61fb27c839aa4" value="Subscribe" data-gaconnector-tracked="true"><span class="es_spinner_image" id="spinner-image"><img
alt="Loading" data-src="https://stealthbits.com/wp-content/plugins/email-subscribers/lite/public/images/spinner.gif" class="lazyload"
src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></span></strong><noscript><strong><img alt="Loading" data-src="https://stealthbits.com/wp-content/plugins/email-subscribers/lite/public/images/spinner.gif"
class="lazyload" src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><noscript><img src="https://stealthbits.com/wp-content/plugins/email-subscribers/lite/public/images/spinner.gif" alt="Loading"></noscript><span
class="es_subscription_message " id="es_subscription_message_61fb27c839aa4"></span></strong></noscript>
</form>POST https://stealthbits.com/wp-comments-post.php
<form action="https://stealthbits.com/wp-comments-post.php" method="post" id="commentform" class="uk-form-stacked comment-form" novalidate="">
<p class="comment-notes">Your email address will not be published. Required fields are marked <span class="required">*</span></p>
<p class="comment-form-comment"><label class="uk-form-label" for="comment">Comment</label><textarea autocomplete="new-password" class="uk-textarea" id="comment" name="d6e16b7d03" rows="8" required="" aria-required="true"></textarea><textarea
id="a3e2b13d9e8d4d41cf736621c029ba11" aria-hidden="true" name="comment" autocomplete="new-password"
style="padding:0 !important;clip:rect(1px, 1px, 1px, 1px) !important;position:absolute !important;white-space:nowrap !important;height:1px !important;width:1px !important;overflow:hidden !important;" tabindex="-1"></textarea>
<script data-noptimize="" type="text/javascript">
document.getElementById("comment").setAttribute("id", "a3e2b13d9e8d4d41cf736621c029ba11");
document.getElementById("d6e16b7d03").setAttribute("id", "comment");
</script>
</p>
<p class="comment-form-author"><label class="uk-form-label" for="author">Name <span class="required">*</span></label><input class="uk-input" id="author" name="author" type="text" value="" size="30" required="" aria-required="true"
data-gaconnector-tracked="true"></p>
<p class="comment-form-email"><label class="uk-form-label" for="email">Email <span class="required">*</span></label><input class="uk-input" id="email" name="email" type="email" value="" size="30" required="" aria-required="true"
data-gaconnector-tracked="true"></p>
<p class="comment-form-url"><label class="uk-form-label" for="url">Website</label><input class="uk-input" id="url" name="url" type="url" value="" size="30"></p>
<p class="comment-form-cookies-consent"><label class="uk-form-label"><input class="uk-checkbox" id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes" data-gaconnector-tracked="true"> Save my name, email, and
website in this browser for the next time I comment.</label></p>
<p class="form-submit"><button id="submit" class="uk-button uk-button-primary submit" name="submit">Post Comment</button> <input type="hidden" name="comment_post_ID" value="4186" id="comment_post_ID" data-gaconnector-tracked="true">
<input type="hidden" name="comment_parent" id="comment_parent" value="0" data-gaconnector-tracked="true">
</p>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1643849671827" data-gaconnector-tracked="true">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>POST /blog/extracting-user-password-data-with-mimikatz-dcsync/#es_form_f2-n2
<form action="/blog/extracting-user-password-data-with-mimikatz-dcsync/#es_form_f2-n2" method="post" class="es_subscription_form es_shortcode_form" id="es_subscription_form_61fb27c84040c" data-source="ig-es">
<div class="es-field-wrap"><label><br><input type="text" name="esfpx_name" class="ig_es_form_field_name" placeholder="Name" value="" data-gaconnector-tracked="true"></label></div>
<div class="es-field-wrap"><label><input class="es_required_field es_txt_email ig_es_form_field_email" type="email" name="esfpx_email" value="" placeholder="Email" required="required" data-gaconnector-tracked="true"></label></div><input
type="hidden" name="esfpx_lists[]" value="41115714b122" data-gaconnector-tracked="true"><input type="hidden" name="esfpx_form_id" value="2" data-gaconnector-tracked="true"><input type="hidden" name="es" value="subscribe"
data-gaconnector-tracked="true">
<input type="hidden" name="esfpx_es_form_identifier" value="f2-n2" data-gaconnector-tracked="true">
<input type="hidden" name="esfpx_es_email_page" value="4186" data-gaconnector-tracked="true">
<input type="hidden" name="esfpx_es_email_page_url" value="https://stealthbits.com/blog/extracting-user-password-data-with-mimikatz-dcsync/" data-gaconnector-tracked="true">
<input type="hidden" name="esfpx_status" value="Unconfirmed" data-gaconnector-tracked="true">
<input type="hidden" name="esfpx_es-subscribe" id="es-subscribe-61fb27c84040c" value="43e847ee73" data-gaconnector-tracked="true">
<label style="position:absolute;top:-99999px;left:-99999px;z-index:-99;"><input type="email" name="esfpx_es_hp_email" class="es_required_field" tabindex="-1" autocomplete="-1" value="" data-gaconnector-tracked="true"></label><label
style="display: inline"><input type="checkbox" name="es_gdpr_consent" value="true" required="required" data-gaconnector-tracked="true"> <label class="gdpr-label"> You have read and agreed to our
<a href="/privacy-policy/" target="_blank">Privacy Policy</a></label></label><br><input type="submit" name="submit" class="es_subscription_form_submit es_submit_button es_textbox_button" id="es_subscription_form_submit_61fb27c84040c"
value="Submit" data-gaconnector-tracked="true"><span class="es_spinner_image" id="spinner-image"><img alt="Loading" data-src="https://stealthbits.com/wp-content/plugins/email-subscribers/lite/public/images/spinner.gif" class="lazyload"
src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><noscript><img alt="Loading" data-src="https://stealthbits.com/wp-content/plugins/email-subscribers/lite/public/images/spinner.gif" class="lazyload"
src="data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><noscript><img src="https://stealthbits.com/wp-content/plugins/email-subscribers/lite/public/images/spinner.gif" alt="Loading"></noscript><span
class="es_subscription_message " id="es_subscription_message_61fb27c84040c"></span></noscript></span>
</form>Name: loginform — POST
<form name="loginform" id="modalloginform" action="" method="post" class="login-form">
<input type="hidden" name="permalink" value="https://stealthbits.com/blog/extracting-user-password-data-with-mimikatz-dcsync/" data-gaconnector-tracked="true">
<input type="hidden" name="__phash" id="__phash" value="JUNo_Bv-mnXLxw6Tt6V5f3Q5_iggcoQf9qopb1Aw8tKOBT5Gy4_Vr8GsUZ4uKItvaR2Qi2HTnEcGeHmSej8TJQ" data-gaconnector-tracked="true">
<div class="form-group " id="row_log">
<div class="input-wrapper text-input-wrapper" id="row_log_wrapper"><label form="log">Login ID</label><input type="text" name="wpdm_login[log]" id="user_login" required="required" placeholder="Username or Email" class="form-control"
data-gaconnector-tracked="true"></div>
</div>
<div class="form-group " id="row_password">
<div class="input-wrapper password-input-wrapper" id="row_password_wrapper"><label form="password">Password</label><input type="password" name="wpdm_login[pwd]" id="password" required="required" placeholder="Enter Password" class="form-control"
data-gaconnector-tracked="true"></div>
</div>
<div class="row login-form-meta-text text-muted mb-3" style="font-size: 10px">
<div class="col-5"><label><input class="wpdm-checkbox" name="rememberme" type="checkbox" id="rememberme" value="forever" data-gaconnector-tracked="true">Remember Me</label></div>
<div class="col-7 text-right"><label><a class="color-blue" href="https://stealthbits.com/wp-login.php?action=lostpassword">Forgot Password?</a> </label></div>
</div>
<input type="hidden" name="redirect_to" value="/blog/extracting-user-password-data-with-mimikatz-dcsync/" data-gaconnector-tracked="true">
<div class="row">
<div class="col-lg-12">
<button type="submit" name="wp-submit" id="wpdmloginmodal-submit" class="btn btn-block btn-primary btn-lg"><i class="fas fa-user-shield"></i> Login</button>
</div>
</div>
</form>Text Content
* Solutions
* Solution
* Active Directory Security Solutions
* Data Access Governance
* Data Privacy
* Privileged Access Management
* View All
* ---
* Government
* ---
* Regulation
* CCPA
* EU GDPR
* HIPAA
* ITAR
* NIST
* NYCRR 500
* PCI
* SOX
* ---
* Project
* AD Security
* Data Privacy
* Privileged Access Management
* Identity and Access Management
* Security Information Event Management
* IT Service Management
* Database Security Solution
* Password Policy Enforcement
* ---
* CREDENTIAL AND DATA SECURITY ASSESSMENT Uncover critical credential and
data risks today with Stealthbits!GET YOUR ASSESSMENT
* Products
* StealthAUDIT
Reporting & Governance
* ---
* Stealthbits App Catalog
Browse our catalog of no-charge resource connectors, report packs, and
more.
* ---
* StealthDEFEND
Threat Detection & Response
* ---
* SbPAM
Privileged Access Management
* ---
* StealthINTERCEPT
Policy Enforcement
* ---
* StealthRECOVER
Roll Back & Recovery
* Support
* Support
* Customer Support
* Professional Services
* Currently Supported Versions
* ---
* Get in Touch With Us
* Support Portal
* Phone: +1.888.638.9749
* Contact Us
* ---
* WATCH ON-DEMAND TRAINING VIDEOS
WATCH NOW
* Partners
* Partners
* Partner Portal
* Register a Deal
* Become a Partner
* Channel Partners
* Technology Partners
* ---
* Technology Integration
* Identity and Access Management
* IT Service Management
* Security Information Event Management
* ---
* Already a partner? Visit the partner portal or register a deal
below!PARTNER PORTAL
* REGISTER A DEAL
* Company
* Overview
* Why Stealthbits
* Leadership
* Careers
* News
* Stealthbits in the News
* Media Coverage
* News Releases
* Awards and Reviews
* ---
* Webinar: What are the Gaps in LAPS?
WATCH NOW
* Resources
* From Our Library
* Analyst Reports
* Buyer's Guides
* Case Studies
* Executive Briefs
* Solution Briefs
* Videos
* White Papers
* View More
* ---
* Stealthbits App Catalog
Browse our catalog of no-charge resource connectors, report packs, and
more.
* ---
* Engage
* Blog
* Newsroom
* Upcoming Webinars
* Webinars on Demand
* Events
* Request a Demo
* ---
* Extras
* Awards & Reviews
* Customers
* On-demand Product Webinars
* Credential and Data Security Assessment (CDSA)
* Stealthbits’ ePHI Security Assessment
* Attack Catalog
* ---
* Portals
* Remote Workforce Security Center
* Privacy Portal
* Login
* Free Trial
Introducing StealthAUDIT 11.5! Complete your cloud security puzzle. LEARN MORE
* Solutions
* Solution
* Active Directory Security Solutions
* Data Access Governance
* Data Privacy
* Privileged Access Management
* View All
* ---
* Government
* ---
* Regulation
* CCPA
* EU GDPR
* HIPAA
* ITAR
* NIST
* NYCRR 500
* PCI
* SOX
* ---
* Project
* AD Security
* Data Privacy
* Privileged Access Management
* Identity and Access Management
* Security Information Event Management
* IT Service Management
* Database Security Solution
* Password Policy Enforcement
* ---
* CREDENTIAL AND DATA SECURITY ASSESSMENT Uncover critical credential and
data risks today with Stealthbits!GET YOUR ASSESSMENT
* Products
* StealthAUDIT
Reporting & Governance
* ---
* Stealthbits App Catalog
Browse our catalog of no-charge resource connectors, report packs, and
more.
* ---
* StealthDEFEND
Threat Detection & Response
* ---
* SbPAM
Privileged Access Management
* ---
* StealthINTERCEPT
Policy Enforcement
* ---
* StealthRECOVER
Roll Back & Recovery
* Support
* Support
* Customer Support
* Professional Services
* Currently Supported Versions
* ---
* Get in Touch With Us
* Support Portal
* Phone: +1.888.638.9749
* Contact Us
* ---
* WATCH ON-DEMAND TRAINING VIDEOS
WATCH NOW
* Partners
* Partners
* Partner Portal
* Register a Deal
* Become a Partner
* Channel Partners
* Technology Partners
* ---
* Technology Integration
* Identity and Access Management
* IT Service Management
* Security Information Event Management
* ---
* Already a partner? Visit the partner portal or register a deal
below!PARTNER PORTAL
* REGISTER A DEAL
* Company
* Overview
* Why Stealthbits
* Leadership
* Careers
* News
* Stealthbits in the News
* Media Coverage
* News Releases
* Awards and Reviews
* ---
* Webinar: What are the Gaps in LAPS?
WATCH NOW
* Resources
* From Our Library
* Analyst Reports
* Buyer's Guides
* Case Studies
* Executive Briefs
* Solution Briefs
* Videos
* White Papers
* View More
* ---
* Stealthbits App Catalog
Browse our catalog of no-charge resource connectors, report packs, and
more.
* ---
* Engage
* Blog
* Newsroom
* Upcoming Webinars
* Webinars on Demand
* Events
* Request a Demo
* ---
* Extras
* Awards & Reviews
* Customers
* On-demand Product Webinars
* Credential and Data Security Assessment (CDSA)
* Stealthbits’ ePHI Security Assessment
* Attack Catalog
* ---
* Portals
* Remote Workforce Security Center
* Privacy Portal
* Login
* Free Trial
Stealthbits
EXTRACTING USER PASSWORD DATA WITH MIMIKATZ DCSYNC
Blog >Extracting User Password Data with Mimikatz DCSync
July 11, 2017 | Jeff Warren | Active Directory Attacks | 12 Comments
INTRODUCTION: EXTRACTING USER PASSWORD DATA WITH MIMIKATZ DCSYNC
Mimikatz provides a variety of ways to extract and manipulate credentials, but
probably one of the most useful and scary ways is using the DCSync command. This
attack simulates the behavior of a domain controller and asks other domain
controllers to replicate information using the Directory Replication Service
Remote Protocol (MS-DRSR). Basically, it lets you pretend to be a domain
controller and ask for user password data. Most importantly, this can be done
without running any code on a domain controller as opposed to the other ways
Mimikatz will extract password data. This can be used by attackers to get any
account’s NTLM hash including the KRBTGT account, which enables attackers to
create Golden Tickets. The trickiest part of this attack is that it takes
advantage of a valid and necessary function of Active Directory, so it cannot be
turned off or disabled.
WHO CAN PERFORM A DCSYNC ATTACK?
Performing a DCSync is quite simple. The only pre-requisite to worry about is
that you have an account with rights to perform domain replication. This is
controlled by the Replicating Changes permissions set on the domain. Having the
Replicating Changes All and Replicating Directory Changes permission will allow
you to perform this attack.
By default, this is limited to the Domain Admins, Enterprise Admins,
Administrators, and Domain Controllers groups. If you would like to quickly find
any users who can perform the DCSync attack outside of these default permissions
the following PowerShell script will help. This will enumerate all of the
domain-level permissions for any domain and find all permissions granted these
rights with a RID above 1000, which will exclude all default permissions.
#Get all permissions in the domain, filtered to the two critical replication permissions represented by their GUIDs
Import-Module ActiveDirectory
cd 'AD:DC=JEFFLAB,DC=local'
$AllReplACLs = (Get-AcL).Access | Where-Object {$_.ObjectType -eq '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' -or $_.ObjectType -eq '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'}
#Filter this list to RIDs above 1000 which will exclude well-known Administrator groups
foreach ($ACL in $AllReplACLs)
{
$user = New-Object System.Security.Principal.NTAccount($ACL.IdentityReference)
$SID = $user.Translate([System.Security.Principal.SecurityIdentifier])
$RID = $SID.ToString().Split("-")[7]
if([int]$RID -gt 1000)
{
Write-Host "Permission to Sync AD granted to:" $ACL.IdentityReference
}
}
Running this will output an entry for each permission given to a user or group
who probably shouldn’t be there:
PERFORMING DCSYNC
If you do have the necessary rights, the rest is quite simple. Simply execute
the following command:
Lsadump::dcsync /domain:[YOUR DOMAIN] /user:[ANY USER WHOS PASSWORD DETAILS YOU
WANT]
Here is that command to retrieve the KRBTGT hash.
Another cool feature is that if the password is stored with reversible
encryption, you can get a clear text password returned:
PROTECTIONS FROM DCSYNC
The best protection is controlling the domain permissions outlined earlier and
making only the necessary accounts have the ability to replicate information
from your domain. Inevitably, some users will have this right, and they should
be protected to avoid their password details being stored where attackers may
compromise them. Start by running the script provided above against all domains
to be sure you don’t have any improper users with rights to perform this attack.
How Attackers Are Stealing Your Credentials with Mimikatz:
DON’T MISS A POST! SUBSCRIBE TO THE INSIDER THREAT SECURITY BLOG HERE:
Name
Email*
Jeff Warren
Jeff Warren is Stealthbits’ General Manager of Products. Jeff has held multiple
roles within the Technical Product Management group since joining the
organization in 2010, initially building Stealthbits’ SharePoint management
offerings before shifting focus to the organization’s Data Access Governance
solution portfolio as a whole. Before joining Stealthbits – now part of Netwrix,
Jeff was a Software Engineer at Wall Street Network, a solutions provider
specializing in GIS software and custom SharePoint development.
With deep knowledge and experience in technology, product and project
management, Jeff and his teams are responsible for designing and delivering
Stealthbits’ high quality, innovative solutions.
Jeff holds a Bachelor of Science degree in Information Systems from the
University of Delaware.
* Previous
* Next
RELATED POSTS
* Understanding Lateral Movement and Privilege Escalation
* SERVER (UN)TRUST ACCOUNT
* Making Internal Reconnaissance Harder Using NetCease and SAMRi10
* Setup, Configuration, and Task Execution with Covenant: The Complete Guide
* Protecting Against DCShadow
* What is a DCShadow Attack and How to Defend Against it
* Next-Gen Open Source C2 Frameworks in a Post PSEmpire World: Covenant
* Detecting Persistence through Active Directory Extended Rights
* Lateral Movement Through Pass-the-Cache
* Resource-Based Constrained Delegation Abuse
FEATURED ASSET
A PRACTITIONER'S GUIDE TO ACTIVE DIRECTORY
Learn why Active Directory security should be a priority for your organization
and ways to mitigate against a data breach with this free white paper!
Read more
COMMENTS (12)
* Achwak
February 15, 2018 at 4:56 pm
Reply
Good evening sir,
I thank you so much for this article. I just have a small question. I
couldn’t find the window allowing me to activate “Replicating Changes All”
and “Replicating Directory Changes”. Could you please tell me how to do it?
Best regards.
* Jeff Warren
February 16, 2018 at 11:15 am
Reply
Those are special permissions that can be applied at the domain level. To
see them, open up Active Directory Users & Computers and go the properties
of one of your top level domains, from there go to the security tab and you
should be able to see those options in the list of permissions. This will
not appear on OUs or other objects, so be sure to look at the domain level
(jefflab.local in my case).
* Kedar
February 22, 2018 at 4:13 pm
Reply
What are the special permissions
* Jeff Warren
February 26, 2018 at 8:48 am
Reply
The special permissions I was referring to are the ‘Replicating Directory
Changes’ and ‘Replicating Directory Changes All’. These are ‘special’ in
that they cannot be applied on any object and just at the domain level, and
are required for DCSync to work. That makes this particular attack
interesting because a user could be granted these permissions separate from
any membership in privileged groups and still be able to perform the DCSync
attack.
* Somu
August 7, 2020 at 4:27 pm
Reply
Hi Jeff,
Nice article, after reading I ma having following queries,
1. Does an account require both Replicating Directory Changes and
Replicating Directory Changes All permission to perform a DCSync attack?
2. In ‘Replicating Directory Changes All’ permission only accounts
password hash sync will happen right, in this case does an account can
perform DCSync with Replication Directory Changes All permission alone?
3. In SharePoint case, the SharePoint service account will have
replication directory changes permission alone. Since both changes and
changes all using same MS DRSR protocol, So SharePoint account also will
consider as perpetrator account?
4. Is there a way to differentiate accounts that performing Replicating
Directory Changes, Replicating Directory Changes All and Replication
Directly changes filtered set?
Eagerly awaiting for your response.
Thanks
Somu
* Joe Dibley
August 10, 2020 at 8:20 am
Reply
Hi Somu,
The response to your questions are as follows:
1. Yes an account does require both the Replicating Directory Changes
and the Replicating Directory Changes all to perform the DCsync attack.
2. Only having the “replicate directory changes all” will not allow an
account to perform the DCSync attack on its own because it specifically
only controls access to the secret data inside active directory for
replication where as the replicating directory changes permission
allows the account to trigger the replication with a given NC.
3. With sharepoint, I believe as you have stated that it only has the
Replicating Directory Changes permission so whilst it can perform
replication of account data it does not have access to the actual
secrets (password hashes etc) of the accounts. This should be somewhat
safe to exclude from threat detection tooling but I would only do so if
you are also strictly monitoring for ACL changes on the domain to make
sure it doesn’t get granted the replicating directory changes all
permission as well.
4. It is possible to differentiate between the different permissions
used by enabling the Directory Service Access auditing and then looking
for Event ID 4662 to the monitor for properties which contain the
following GUIDs:
DS-Replication-Get-Changes -> 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
DS-Replication-Get-Changes-All -> 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
DS-Replication-Get-Changes-In-Filtered-Set ->
89e95b76-444d-4c62-991a-0facbeda640c
Other Control Access Rights can be found here
(https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb)
A thing to note with the standard logs for event ID 4662 is that it is
only possible to tell if replication was performed and not what. To see
the “what” was replicated it is required to enable the diagnostic
logging which will be extremely verbose and is not recommended for
long-term production use.
Cheers,
Joe (Stealthbits)
* Grzegorz
February 23, 2018 at 11:24 am
Reply
Hi Jeff! Good article. Please check DCShadow. It is also interesting.
* Jeff Warren
February 26, 2018 at 8:46 am
Reply
Thanks, I have had some time to learn about DCShadow recently and you’re
right, it is interesting (also scary). I am writing a series about that as
well which you can find here.
* wh1t3rbt
July 4, 2018 at 4:43 am
Reply
Please may you provide the script
* Jeff Warren
July 9, 2018 at 9:09 am
Reply
Script added!
* Felipe
April 2, 2019 at 2:32 pm
Reply
Hi,
What permissions does the SYSTEM user have to have?
* Jeff Warren
April 3, 2019 at 3:32 pm
Reply
This attack doesn’t need to run under the SYSTEM account, that is something
that DCShadow requires. In any case, whether you run this as a user or
computer that account will need the replication permissions listed above in
the blog post granted on the domain object.
LEAVE A REPLY CANCEL REPLY
Your email address will not be published. Required fields are marked *
Comment
Name *
Email *
Website
Save my name, email, and website in this browser for the next time I comment.
Post Comment
Δ
SUBSCRIBE
DON’T MISS A POST. SUBSCRIBE TO THE BLOG!
You have read and agreed to our Privacy Policy
200 Central Ave
Hawthorne, NJ 07506
201-447-9300
SOLUTIONS
Data Access Governance
Active Directory Security
Privileged Access Management
Database Security Solutions
COMPLIANCE
EU GDPR
HIPAA
ITAR
NYCRR 500
PCI
SOX
NIST
CCPA
PRODUCT
StealthAUDIT Management Platform
StealthDEFEND
Stealthbits Privileged Activity Manager
StealthINTERCEPT
StealthRECOVER
MODULES
StealthAUDIT Active Directory Permissions Analyzer
StealthINTERCEPT Enterprise Password Enforcer
Stealthbits Activity Monitor
PARTNERS
Technology Partners
Channel Partners
Become a Partner
Register an Opportunity
Partner Portal
COMPANY
About Us
Management Team
Careers
Awards and Reviews
Blog
News
Media Coverage
Support
Contact Us
Request a Demo
© 2022 Stealthbits Technologies, Inc.
Privacy Policy
Login ID
Password
Remember Me
Forgot Password?
Login
[ Placeholder content for popup link ] WordPress Download Manager - Best
Download Management Plugin
Close
Start a Free Stealthbits Trial!
No risk. No obligation.
FREE TRIAL
×
May we use cookies to track your activities? We take your privacy very
seriously. Please see our privacy policy for details and any questions.
Yes No