Mass hashes extraction from Domain Controllers
Granting too many permissions may be very harmful. It is quite common to grant administrative privileges, because everything works fine and there is no need to investigate minimal permissions required for operation, especially when a software supplier does not provide detailed documentation. However, such behaviour makes cybercriminals’ lives easier, because they are waiting to seize the opportunity.
In case of Active Directory, attackers can use domain controllers replication to gain NTLM hashes of all domain accounts. That attack is called DCSync and it utilizes Directory Replication Service (DRS) Remote Protocol.
To request domain controller replication, attackers need the following permissions:
· Replicating Directory Changes
· Replicating Directory Changes All
· Replicating Directory Changes in Filtered Set (optional)
You can find objects with such permissions using e.g. Active Directory Users and Computers or PowerShell. Domain Controllers and Domain / Enterprise Admins have these permissions by default.
To find permissions using PowerShell you have to know Rights-GUIDs. You can find them here:
https://docs.microsoft.com/en-us/windows/win32/adschema/extended-rights
You can also use PowerShell to get a list of permissions:
Get-ADObject -SearchBase (Get-ADRootDSE).ConfigurationNamingContext `
-LDAPFilter “(&(objectclass=controlAccessRight)(rightsguid=*))” `
-Properties RightsGuid,DisplayName |
Select-Object Name, DisplayName, RightsGuid |
Sort-Object Name
Rights-GUIDs are also listed in the table below.
When checking permissions, consider all of the following cases:
· Object has full access to the domain object — GenericAll.
· Object has all extended permissions (ExtendedRight), but does not have all other permissions. In this case object has ExtendedRight with only one GUID: 00000000–0000–0000–0000–000000000000.
· Object has only some of the extended permissions (ExtendedRight) — in this case you should look for GUID of permissions listed in the table above.
You can use the Get-Acl cmdlet in PowerShell to get a list of permissions for a domain object.
Import-Module ActiveDirectory
$ADPath = “AD:DC=swada,DC=local”
(Get-Acl -Path $ADPath).access
With replication permissions attackers do not need access to domain controllers. DCSync attack can be executed from any machine. The most popular tool used to execute DCSync to get password hashes for all domain accounts is Mimikatz.
Stolen NTLM hashes can be used for Pass-the-Hash or even Golden Ticket, because with DCSync attackers will also possess password hash for the krbtgt account.
To avoid the DCSync attack you should manage permissions carefully. Do not grant permissions which are not necessary and regularly audit Active Directory privileges. Implement password policy which requires long and complex passwords and use passwords with at least 25 characters for service accounts. All passwords should be changed regularly.
In order to detect malicious replications, you can monitor your network. DsGetNCChanges request from machines which are not domain controllers will be an indicator of malicious replication. You could also use threat detections systems for Active Directory, such as Microsoft Advanced Threat Analytics (ATA).
