DCSync

Description

DCSync is a legitimate Active Directory feature that domain controllers only use for replicating changes, but illegitimate security principals can also use it.

The Source security principal can request sensitive secrets (password hashes, Kerberos keys, etc.) from the Target domain using the DCSync feature, ultimately leading to a total compromise of the domain.

To fetch secrets, two security permissions are required: "Replicating Directory Changes" (DS-Replication-Get-Changes) and "Replicating Directory Changes All" (DS-Replication-Get-Changes-All). The relation occurs only if you give both of these permissions to the Source, either directly or through nested group membership.

Exploitation

Attackers who compromise the Source security principal can fetch secrets using dedicated hacker tools such as mimikatz or impacket.

  • Golden ticket: Results from obtaining the password hash of the "krbtgt" account, which makes it possible to forge a Kerberos TGT and allows the impersonation of anyone on any computer/service. This notably gives administrative privileges over any computer in the domain.

  • Silver ticket: Results from obtaining the password hash of a computer/service account, which makes it possible to forge a Kerberos service ticket and allows the impersonation of anyone on the given computer/service.

Remediation

Legitimate security principals allowed by default to leverage DCSync are:

  • Administrators

  • Domain Admins

  • Enterprise Admins

  • SYSTEM

In addition, the Microsoft Entra ID Connect configuration allows its password hash synchronization service account (MSOL_...) to leverage DCSync.

Finally, it is possible to discover service accounts for certain security tools, notably password auditing solutions. Verify their legitimacy with the people in charge.

For Source security principals without a legitimate need to perform DCSync, you must remove this permission.

To modify the security descriptor of the Target domain:

  1. In "Active Directory Users and Computers", right-click the domain name and select Properties > Security.

  2. Remove the "Replicating Directory Changes" and "Replicating Directory Changes All" permissions for illegitimate security principals.

Note: DCSync relations can occur through permissions from nested group membership. Hence depending on the exact situation, you must remove the groups themselves or only some of their members.

See also