DCSync is an attack that allows an adversary to simulate a domain controller by abusing the Directory Replication Service Remote Protocol (MS-DRSR). By doing so, the attacker can request and retrieve sensitive password data including NTLM hashes and the KRBTGT account hash from other domain controllers.
Attack Vector:
The attacker leverages replication permissions (e.g., "Replicating Directory Changes") to request replication data from a domain controller.
Replication Permissions
Mechanism:
By compromising an account with replication privileges, the attacker issues DCSync requests to obtain sensitive Active Directory (AD) data that is normally used for AD synchronization. This data can then be used for further attacks, such as crafting Golden Tickets or moving laterally within the network.
Objective:
Obtain credentials for an account with the "Replicating Directory Changes" or "Replicating Directory Changes All" right.
Example:
An attacker might first use Pass-the-Hash to impersonate a privileged user with these rights.
Process:
Execute the DCSync command to retrieve password hashes and key material (e.g., for the KRBTGT account).
Example Command:
.\\mimikatz.exe "lsadump::dcsync /user:DOMAIN\\krbtgt"
Outcome:
The command returns NTLM hashes and key material, which can be used to craft a Golden Ticket.
Result:
With the obtained data, the attacker can forge Golden Tickets and perform Pass-the-Ticket attacks, gaining unrestricted access across the AD domain.