The dcsync module is not parsing correctly the output of Mimikatz, it is sometimes capturing the Security ID instead of the Realm, and the Relative ID instead of the password's hash
I think the Mimikatz output changed when targeting a single account. Here is an extract of the new output, some fields are also omitted when the arg "/all" is used
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT ) # not present using /all
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration : # not present using /all
Password last change : 6/4/2022 7:45:12 PM # not present using /all
Object Security ID : S-1-5-21-117627179-2072415408-3747117325-500
Object Relative ID : 500
Credentials:
Hash NTLM: e19ccf75ee54e06b06a5907af13cef42
djhohnstein
commented
2 years ago
Hi,
The dcsync module is not parsing correctly the output of Mimikatz, it is sometimes capturing the Security ID instead of the Realm, and the Relative ID instead of the password's hash
I think the Mimikatz output changed when targeting a single account. Here is an extract of the new output, some fields are also omitted when the arg "/all" is used
https://github.com/MythicAgents/Apollo/blob/2472fe703b67e0b3c221449e1fffc0320136b292/Payload_Type/apollo/mythic/agent_functions/dcsync.py#L129
I have reproduced the problem on a
Microsoft Windows Server 2019 Standard / 10.0.17763 N/A Build 17763