![]() Golden ticket for 'Administrator ' successfully submitted for current session In this example, possessing the password hash of the krbtgt account enables the attacker to execute a Golden Ticket attack, thereby giving them unfettered access to Active Directory and member computers. ![]() Lastly, an adversary can use the newly compromised credentials to further their objectives. User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT ) ![]() User Principal Name : Type : 30000000 ( USER_OBJECT ) 'DOMAIN\krbtgt' will be the user account \mimikatz.exe "lsadump::dcsync /user:DOMAIN\krbtgt" The most common target for replication is the krbtgt account, as this account’s password is a prerequisite for a Golden Ticket. Next, an adversary uses mimikatz (or a similar tool) to replicate credentials from Active Directory. In this example, an attacker is using the hash of a compromised user with the necessary replication permissions to perform a Pass-the-Hash attack to launch a command prompt as the compromised user. The adversary may need to repeat the cycle of internal reconnaissance, lateral movement, and privilege escalation until finding a user with these permissions. Once the adversary has compromised a suitable account, they can use the Directory Replication Service (DRS) Remote protocol to replicate additional credentials and other data from Active Directory.įirst, an adversary must compromise an account with the necessary privileges (Replicating Directory Changes All and Replicating Directory Changes) to replicate from Active Directory. In addition, some applications - such as Azure Active Directory Connect - have legitimate need for replication permissions so their service accounts can therefore also be targeted.) ![]() (Members of the Administrators, Domain Admins, Enterprise Admins and Domain Controllers groups have the required privileges by default, and it is possible for any user to be granted these privileges. ![]() To perform a DCSync attack, an adversary must have compromised a user account with Replicating Directory Changes All and Replicating Directory Changes privileges. DCSync is a credential dumping technique that can lead to the compromise of user credentials, and, more seriously, can be a prelude to the creation of a Golden Ticket because DCSync can be used to compromise the krbtgt account’s password. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |