TTechniqueActiveDirectory
DCSync uses Active Directory's built-in replication protocol to request password data for any account in the domain — without accessing a domain controller's file system, memory, or running processes. This lesson explains why the technique works, what permissions enable it, what the attacker gains, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.
DCSync is the endgame credential extraction technique in Active Directory. It allows an attacker with the right permissions to extract the password hash for every account in the domain — including the krbtgt account — remotely, through a legitimate protocol, without touching a domain controller's operating system.
Understanding DCSync matters because it is the technique that converts directory-level permissions into full domain credential compromise, and interviewers expect candidates to explain why replication rights are the most sensitive permissions in AD.
DCSync requires an account with two specific extended rights on the domain object: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All. Together, these rights allow the account to request password data through the directory replication protocol.
By default, only Domain Admins, Enterprise Admins, and the domain controller computer accounts have these rights. However, they can be delegated — and misconfigured delegations are a common finding. Service accounts for directory synchronization tools (Azure AD Connect, identity management products) are frequently granted replication rights and become high-value targets.
The attacker needs network access to a domain controller on the standard RPC/LDAP ports. No access to the DC's file system, memory, or console is required.
MITRE · Official MITRE ATT&CK reference for DCSync, including procedure examples, detection, and mitigations
Active Directory uses a replication protocol (MS-DRSR) to synchronize directory data between domain controllers. When a DC needs to synchronize with another DC, it requests changes — including password hashes — through this protocol. The receiving DC authenticates the requesting identity and checks whether it has the replication extended rights on the domain object.
The protocol does not verify that the requester is actually a domain controller. Any account with the replication rights can issue the same replication requests that DCs use to synchronize. The DC processes the request identically whether it comes from a legitimate replication partner or from an attacker's workstation.
This means an attacker with replication rights can request the password hash for any single account (targeted extraction) or replicate the entire directory database (full extraction) — all through a protocol that is designed for exactly this type of data exchange.
DCSync gives the attacker the password hash for any account in the domain. The most impactful targets are:
- krbtgt account — its hash enables golden ticket creation, granting persistent, unrestricted access to the entire domain that survives password changes on all other accounts - Domain Admin accounts — their hashes enable direct administrative authentication to any domain resource - All accounts — full replication yields every account's hash, supporting offline cracking, credential reuse across environments, and comprehensive access
Because the extraction uses a legitimate protocol, it generates replication traffic that blends with normal DC-to-DC synchronization. The attacker does not need to touch the DC's NTDS.dit file, LSASS memory, or any process on the DC itself.
DCSync sits at the culmination of the privilege escalation chain. The attacker reaches it through one of several paths:
- Direct compromise of a Domain Admin account (any technique that yields DA credentials) - Compromise of an account with delegated replication rights (service accounts for sync tools) - ACL abuse to grant themselves replication rights (WriteDACL on the domain object → add replication extended rights) - Delegation abuse that allows impersonation of a DC machine account
Once DCSync is performed, the attacker has effectively extracted the full credential store. The krbtgt hash is the final prize — it enables golden tickets that provide persistent, difficult-to-remediate access to the entire domain.
DCSync uses AD's built-in replication protocol to request password hashes for any account in the domain. The attacker needs DS-Replication-Get-Changes and DS-Replication-Get-Changes-All rights on the domain object — these are the permissions that allow requesting credential data through the replication protocol. The protocol does not verify that the requester is actually a domain controller, so any account with these rights can issue the same requests DCs use to synchronize.
The most impactful target is the krbtgt account, because its hash enables golden ticket creation — persistent, unrestricted access that survives all password changes except krbtgt rotation. DCSync does not require accessing the DC's file system or memory. Detection focuses on monitoring replication requests from non-DC sources, since legitimate replication only occurs between domain controllers.
DCSync is a technique where an attacker with specific directory permissions requests a copy of password data for any account in your organization — through the same mechanism your domain controllers use to synchronize with each other. The attacker does not need to break into a domain controller or access its files. They simply ask for the data through a legitimate protocol, and the domain controller provides it because the permissions allow it.
The most sensitive target is the master encryption key for your domain's authentication system. If the attacker obtains it, they can create authentication credentials for any employee, including administrators, and this access persists until the key is explicitly rotated. The fix is auditing who has these replication permissions and restricting them to only the accounts that genuinely require them.
Finding: DCSync — Full Domain Credential Extraction via Replication Rights. During the assessment, the operator compromised the svc_aadconnect service account, which has DS-Replication-Get-Changes and DS-Replication-Get-Changes-All on the domain object. Using Mimikatz DCSync, the operator extracted the NT hash for the krbtgt account and all Domain Admin accounts. A golden ticket was created using the krbtgt hash, providing persistent domain-wide access. The svc_aadconnect account was configured for Azure AD Connect synchronization with a password that had not been changed in 18 months.
Severity: Critical.
Recommendation: Rotate the krbtgt password twice immediately. Change the svc_aadconnect password and restrict its logon rights. Audit all accounts with replication rights on the domain object. Monitor for replication requests from non-DC sources.