ExplainTheHack
← Back to DCSync

DCSync Brief

What It Is

Using AD's built-in replication protocol (MS-DRSR) to request password hashes for any account in the domain — remotely, through a legitimate protocol, without touching a domain controller's file system, memory, or processes.

Preconditions

DS-Replication-Get-Changes and DS-Replication-Get-Changes-All extended rights on the domain object. By default: Domain Admins, Enterprise Admins, DC computer accounts. Often delegated to directory sync service accounts (Azure AD Connect).

Attacker Gain

Password hash for any account in the domain. The krbtgt hash enables golden tickets — persistent, unrestricted access that survives all password changes except krbtgt rotation. Full replication yields every account's hash.

Key Points

  • No DC access required — operates over the network via standard replication protocol calls
  • Protocol does not verify requester is a DC — any account with replication rights can issue the requests
  • krbtgt hash is the ultimate target — golden tickets impersonate any user, survive all other password changes
  • Delegated replication rights (sync tools) are the real attack surface — not just Domain Admin
  • Detection: Event ID 4662 with replication GUIDs from non-DC sources

Stakeholder Explanation

An attacker with specific directory permissions asks the domain controller for password data through the same mechanism DCs use to synchronize. No break-in to the DC is needed. The most sensitive target is the master authentication key — compromising it provides persistent access to everything until the key is explicitly rotated.

Report Phrasing

Finding: DCSync — Domain Credential Extraction. The operator compromised [account] with replication rights on the domain object. Extracted the krbtgt hash and [N] Domain Admin hashes. Golden ticket created for persistent access. [Account] configured for [sync tool, password age N months]. Severity: Critical. Recommendation: Rotate krbtgt twice. Change [account] password. Audit replication rights. Monitor non-DC replication requests.

Common Pitfalls

  • Describing DCSync as 'dumping the AD database' without explaining the replication protocol mechanism
  • Saying 'you need Domain Admin' — misses that delegated replication rights are the real attack surface
  • Not explaining why the krbtgt hash is the highest-value target (golden tickets, persistence)
  • Treating DCSync as a tool feature ('run secretsdump') rather than a protocol-level technique