Task 4.2: Suspected DCSync attack (replication of directory services)
If attackers have the DS-Replication-Get-Changes-All permission, they can initiate a replication request to retrieve the data stored in Active Directory, such as the krbtgt’s password hash.
In this detection, an alert is triggered when a replication request is initiated from a computer that isn’t a domain controller.
Tools used in this test: https://github.com/gentilkiwi/mimikatz/releases.
-
In the WIN5 RDP session, sign in as MSMDI\JeffL.
-
In a Command window, run:
c:\Tools\mimikatz_trunk\x64\mimikatz.exe "lsadump::dcsync /domain:MSMDI.local /user:krbtgt" "exit"You can safely ignore any errors that appear when running the commands.
This will retrieve the krbtgt’s password hash and move to a golden ticket attack.
For more information, review Suspected DCSync attack (replication of directory services) (external ID 2006).