CN: DS-Replication-Get-Changes GUID: 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
CN: DS-Replication-Get-Changes-All GUID: 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 The “Replicating Directory Changes In Filtered Set” extended right (this one isn’t always needed but we can add it just in case :)
CN: DS-Replication-Get-Changes-In-Filtered-Set GUID: 89e95b76-444d-4c62-991a-0facbeda640c
offense.local
permissions, it can be observed that user spotless
does not have any special rights just yet:spotless
3 rights that would allow them to grab password hashes from the DC:offense.local
domain object's privileges now, we can see 3 new rights related to Directory Replication
added:whoami /all
:spotless
S-1-5-21-2552734371-813931464-1050690807-1106
has the same privileges as seen above using the GUI:spotless
has now the required privileges to use DCSync
, we can use mimikatz to dump password hashes from the DC via: