While SAMBA did implement Active Directory replication protocol for years, it was not easy to abuse it, especially on the Windows OS. The lsadump::DCSync feature in mimikatz was a first breakout in this area. Red teamers could extract secrets needed for kerberos tokens abuse and even impersonate domain controllers. In short, a read access to the AD database.

By Benjamin Delpy + Vincent Le Toux

Full abstract: https://www.blackhat.com/us-18/briefings/schedule/#so-i-became-a-domain-controller-10188

Posted by Charlie