What is the primary objective of the Domain Dominance phase for an adversary?
To extract highly-sensitive authentication material to ensure they can maintain domain admin-level privileges almost indefinitely.
The three techniques discussed for achieving Domain Dominance are DCSync, Ticket Forgery, and _____.
DPAPI Backup Keys
What is the legitimate function of the Directory Replication Service (DRS) protocol in Active Directory?
It is used by domain controllers to replicate data, such as new user information, between themselves.
What is the DCSync technique [T1003.006] from an adversarial perspective?
An adversary leverages the Directory Replication Service (DRS) protocol to pull replication data, specifically usernames and password hashes, from a domain controller.
What level of privilege is required to perform a DCSync attack?
Access as a domain or enterprise admin, or a domain controller computer account.
Which Mimikatz command is used to perform a DCSync attack?
The lsadump::dcsync command.
In the Cobalt Strike Beacon tool, what alias is a wrapper around Mimikatz’s DCSync capability?
The dcsync alias.
What is a common and highly valuable target account for an adversary using DCSync?
The krbtgt account.
Why is the password hash of the krbtgt account so valuable to an attacker?
It is used to encrypt and sign Kerberos Ticket Granting Tickets (TGTs).
What capability does an adversary gain by possessing the krbtgt account’s password hash?
They can forge valid Ticket Granting Tickets (TGTs) for any user in the domain.
Why is the krbtgt account a good candidate for ensuring long-term, high-privileged access?
Its password is not changed automatically by Active Directory.
From a defensive (OPSEC) perspective, why can’t the mere presence of DRS protocol traffic be considered a breach?
Because the Directory Replication Service (DRS) protocol is legitimately used for normal domain controller operations.
How can defenders identify potentially malicious DCSync activity?
By looking for anomalous replication requests, such as those originating from IP addresses other than known domain controllers.
Which Windows Event ID is logged for directory service replication when Directory Service Access auditing is enabled?
Event ID 4662.
What is the identifying GUID for the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All operations in a 4662 event?
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
What is the identifying GUID for the DS-Replication-Get-Changes-In-Filtered-Set operation in a 4662 event?
89e95b76-444d-4c62-991a-0facbeda640c
In Windows, what technology is used to protect secrets stored in places like the Credential Manager?
The Data Protection API (DPAPI).
In the DPAPI system, a user’s secrets are encrypted with a randomly generated AES key called a _____.
masterkey
The private key that DPAPI uses to encrypt a user’s masterkey is derived from what?
The user’s password.
What mechanism allows a user to access their DPAPI-protected secrets after their password has been changed?
A copy of the user’s masterkey is encrypted with a ‘backup key’ that is stored in Active Directory.
From an adversarial perspective, what is the ultimate goal of obtaining the domain’s DPAPI backup key?
To decrypt all DPAPI blobs for any user in the domain.
How often is the domain’s DPAPI backup key automatically changed by Active Directory?
It is never automatically changed.
What protocol can be used by a domain administrator to extract the DPAPI backup key from a domain controller?
The BackupKey Remote Protocol.
Which Mimikatz command is used to extract the domain’s DPAPI backup key?
The lsadump::backupkeys command.
-
Module 144
-
Module 243
-
Module 360
-
Module 466
-
Module 550
-
Module 660
-
Module 762
-
Module 856
-
Module 918
-
Module 1052
-
Module 1153
-
Module 1250
-
Module 1336
-
Module 1441
-
Module 1567
-
Module 1653
-
Module 1728
-
Module 1851
-
Module 1954
-
Module 2022
-
Cobalt Strike User Guide161
-
Cobalt Strike Installation Guide37
