DCSync

Information

Includes the following rights:

  • GetChanges → internal/technical permission name used in APIs and LDAP.

  • Replication-Directory-Changes → friendly display name for the same permission.

  1. Replication-Get-Changes / GetChanges

  2. Replication-Directory-Changes-All / GetChangesAll

  3. Replication-Directory-Changes-In-Filtered-Set / GetChangesInFilteredSet (not always)

Default setting: Domain Admins, Enterprise Admins, Administrators, and Domain Controllers.

Exploitation

Enumerate rights:

Get-ObjectAcl -DistinguishedName "dc=x7331,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'WriteDacl')}
PreviousAddSelfNextForceChangePassword

Last updated

Was this helpful?