Conducting Domain Persistence with DCSync

Conducting Domain Persistence with DCSync

Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.

What Is This?

The DCSync attack is a red teaming technique that leverages the Microsoft Directory Replication Service Remote Protocol (MS-DRSR) to replicate Active Directory credentials. By abusing this protocol, an attacker can impersonate a domain controller and request sensitive account data, including password hashes for any user in the domain. This technique does not require code execution on the Domain Controller itself, but rather targets accounts with specific replication rights. The most valuable target is the KRBTGT account, whose hash is critical for creating Golden Tickets and maintaining long-term domain persistence.

DCSync was first demonstrated by Benjamin Delpy (creator of Mimikatz) and Vincent Le Toux. When a user or computer account has the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All permissions in Active Directory, it can request and receive the password hashes of any user-including domain administrators and service accounts. This makes DCSync an exceptionally powerful credential dumping and persistence technique.

Why Use It?

DCSync is a preferred method for attackers and red teamers seeking to establish durable persistence within a Windows Active Directory environment. The technique is highly covert because it does not require direct interaction with the domain controller beyond standard replication requests, which are part of routine Active Directory operations.

Key reasons to use DCSync for domain persistence:

• Stealth: The attack generates minimal artifacts and can blend in with legitimate domain controller replication traffic.
• Comprehensive Access: It allows the extraction of password hashes for any domain account, including privileged and service accounts.
• Golden Ticket Creation: With the KRBTGT hash, attackers can forge Kerberos tickets, granting indefinite access to domain resources.
• No Need for DC Shell Access: The attack can be executed from any system, provided the attacker’s account has the required replication privileges.

This makes DCSync essential for red teamers aiming to test an organization’s ability to detect and respond to domain-level persistence threats.

How to Use It

To conduct a DCSync attack, you need an account with the necessary replication privileges. The most widely used tool for this purpose is Mimikatz. Below is a step-by-step guide for performing a DCSync attack using Mimikatz:

1. Identify Privileged

Accounts

First, determine if your compromised user has the following rights on the domain:

• DS-Replication-Get-Changes
• DS-Replication-Get-Changes-All

You can check this using PowerShell or tools like BloodHound.

2. Use Mimikatz for

DCSync

Launch Mimikatz with administrative privileges on a system joined to the domain. Run the following command to extract the NTLM hash of the KRBTGT account:

lsadump::dcsync /domain:<DOMAIN> /user:krbtgt

Replace <DOMAIN> with the appropriate Active Directory domain name.

To extract all domain admin hashes, use:

lsadump::dcsync /domain:<DOMAIN> /user:<DOMAIN>\Administrator

You can repeat this command for other high-value accounts such as service accounts.

3. Create a Golden

Ticket (Optional)

Once you have the KRBTGT NTLM hash, you can generate a Golden Ticket:

kerberos::golden /user:<username> /domain:<DOMAIN> /sid:<domain_SID> /krbtgt:<KRBTGT_hash> /id:<RID>

Replace the placeholders with the relevant values for your environment.

4. Maintain

Persistence

With the extracted hashes, attackers can create Kerberos tickets at any time, even if passwords are changed, unless the KRBTGT password is reset twice.

When to Use It

DCSync should be used during the post-exploitation phase of a red team engagement or authorized penetration test, specifically when:

• You have compromised an account with domain replication permissions
• You need to assess the resilience of an organization’s detection and response to domain persistence threats
• You want to demonstrate the risks associated with privileged delegation and excessive permissions in Active Directory

It is also valuable for purple team exercises, allowing defenders to test and tune their monitoring for DCSync-related activities.

Important Notes

• Authorization Is Mandatory: Never use this technique on systems you do not own or have explicit permission to test.
• Detection: While the traffic generated by DCSync can resemble legitimate replication, security monitoring solutions can detect it by alerting on unusual replication requests from non-DC hosts.
• Mitigation: Limit replication rights to only legitimate domain controllers. Regularly audit privileged groups such as Domain Admins, Enterprise Admins, and accounts with replication permissions.
• KRBTGT Reset: After a compromise, reset the KRBTGT account password twice to invalidate any Golden Tickets created using stolen hashes.
• Legal Risks: Unauthorized use can result in legal action under computer fraud statutes.
• Operational Security: Use this technique only as part of an authorized engagement with proper scoping and oversight.

By mastering the DCSync technique, red teamers and security professionals can both assess and improve the security posture of Active Directory environments against some of the most dangerous and persistent attack vectors.