The concept of DCSync is that it impersonates a Domain Controller to request all the hashes of the users in the domain. Yes. This means as long as you have permissions, you do not need to run any commands on the Domain Controller the need to compromise the DC is not necessary as this one is usually quite difficult
For this to work, it is important to have proper permissions to pull hashes from a Domain Controller. Generally limited to the Domain Admins, Enterprise Admins, Domain Controller Groups, and anyone with the Replicating Changes permissions set to Allow (i.e. Replicating Changes All/Replicating Directory Changes), DCSync will allow your user to perform this attack with the use of mimikatz.
What's the risk?
Well if a user can impersonate a Domain Controller and request for all the domain user's passwords, that is enough risk.
We can enumerate a user with these permission with powerview by using the Get-ObjectACL CMDLET
Get-ObjectAcl -Identity "dc=dominioncyber,dc=local" -ResolveGUIDs | ? {$_.SecurityIdentifier -match "S-1-5-21-1827981533-2463545078-1305764163-1120"}
Above, when locating these 2 objects DCSync is allowed for the user. This is as simple as running DCSync <username> on Covenant and grabbing the hashes for the krbtgt user.
It also has a sample on what command is being executed when utilizing mimikatz
And we can do this for any user of our choosing in the entire Domain
Understanding this technique and exploiting is valuable as this can provide persistence with the highest privileges on the Domain and can be also used to initiate other techniques such as Golden/Silver Tickets.
Copy link