DCSync Quiz

1.What specific permissions does DCSync require?

• Local administrator access on a domain controller
• DS-Replication-Get-Changes and DS-Replication-Get-Changes-All extended rights on the domain object
• Domain Admin group membership only
• Physical access to the domain controller's hard drive

2.Why does the replication protocol not verify that the requester is a domain controller?

• Because of a vulnerability that Microsoft has not patched
• Because the protocol authenticates the requesting identity and checks for replication rights on the domain object — any account with those rights can issue the same requests, whether it is a DC or an attacker's workstation
• Because replication uses unauthenticated RPC calls
• Because only domain controllers can reach the replication endpoint

3.Why is the krbtgt hash the highest-value target for DCSync?

• Because krbtgt is the most commonly used account in the domain
• Because the krbtgt hash enables golden ticket creation — persistent, unrestricted access that impersonates any user with any group membership and survives all password changes except krbtgt rotation
• Because krbtgt has the longest password in the domain
• Because krbtgt can authenticate to every system

4.How does DCSync differ from extracting credentials from LSASS?

• They extract the same material using the same method
• DCSync uses the replication protocol remotely and requires replication rights; LSASS extraction reads process memory locally and requires local admin — different mechanism, different prerequisites, different detection
• LSASS extraction can get all domain credentials while DCSync cannot
• DCSync is a newer technique that replaces LSASS extraction

5.Why are directory synchronization service accounts (like Azure AD Connect) high-value targets in the context of DCSync?

• Because they have Domain Admin group membership
• Because they are frequently granted DS-Replication-Get-Changes and DS-Replication-Get-Changes-All to perform their synchronization function — making them DCSync-capable accounts
• Because they store all user passwords in plaintext
• Because they are always configured with weak passwords

6.What is the primary detection method for DCSync activity?

• Monitoring for failed authentication attempts on domain controllers
• Monitoring for DS-Replication-Get-Changes requests (Event ID 4662) from non-DC sources — legitimate replication only occurs between domain controllers
• Scanning for Mimikatz on domain controller hard drives
• Checking the NTDS.dit file for unauthorized access