DCSync
Description
DCSync is a type of cyberattack where a hacker tricks a Domain Controller (DC) into thinking they're another DC. This lets the hacker ask for and receive sensitive information, like password hashes, from Active Directory (AD).
To do this, the hacker needs an account (either a user or a computer account) that has special permissions:
Replicating Directory Changes
Replicating Directory Changes All
These permissions allow the account to copy data from ADβjust like a real Domain Controller would when syncing data.
Attack
1. The first thing is to check does your user or computer have the necessary permissions, that we mentioned above. Lets say we escalated our privilages from an account "bob" to account "rocky" who has all the privilages
2. Than we need to open cmd and run as our new user "rocky"
Run shell as different user
This includes that we know the password remember.
3. Than we open mimikatz because it contains an implementation for performing DCSync attacks. Just mention the domain and user in the command.
Perform dcsync
The field that we are intrested in is Hash NTLM
It is possible to specify the /all parameter instead of a specific username, which will dump the hashes of the entire AD environment. We can perform pass-the-hash with the obtained hash and authenticate against any Domain Controller.
Prevention
Using a third party product "RPC Firewall"
What DCSync abuses is a common operation in Active Directory environments, as replications happen between Domain Controllers all the time
Therefore, preventing DCSync out of the box is not an option.
Detection
Domain Controller replication generates an event with the ID
4662
Since replications occur constantly, we can avoid false positives by ensuring the followings:
Either the property
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2or1131f6ad-9c07-11d1-f79f-00c04fc2dcd2is present in the event.Whitelisting systems/accounts with a (valid) business reason for replicating, such as
Azure AD Connect(this service constantly replicates Domain Controllers and sends the obtained password hashes to Azure AD).
Task
Task 1
Connect to the target and perform a DCSync attack as the user rocky (password:Slavi123). What is the NTLM hash of the Administrator user?
Once connected to the user bob, we need to open cmd and run the cmd as user rocky, we have the provided password in the task description.
Great, now we need mimikatz In the rocky user, the mimikatz are located in C:\Mimikatz Run the dcsync command
Answer: fcdc65703dd2b0bd789977f1f3eeaecf
Task 2
fter performing the DCSync attack, connect to DC1 as 'htb-student:HTB_@cademy_stdnt!' and look at the logs in Event Viewer. What is the Task Category of the events generated by the attack?
RDP from the bob RDP, to the DC1. The ip for DC1 is 172.16.18.3
Open Event Viewer, Security Logs, Filter and add the Event ID 4662
Last updated