DCSync Attack: Dumping AD Credentials with Mimikatz

What Is a DCSync Attack? DCSync is a credential dumping technique that abuses Active Directory’s replication mechanism. Instead of running code on a Domain Controller, an attacker with the right privileges impersonates a Domain Controller and requests password data directly from another DC using the MS-DRSR (Directory Replication Service Remote Protocol). The result: you get NTLM hashes, Kerberos keys, and plaintext passwords (in some configurations) for any account in the domain — including krbtgt and Domain Admins — without ever touching LSASS on a DC. ...

July 14, 2026 · 7 min · Red Team Guide

Pass-the-Hash vs Pass-the-Ticket: Complete Guide

Active Directory credential attacks come in two flavors that confuse people constantly: Pass-the-Hash (PtH) and Pass-the-Ticket (PtT). Both let you authenticate as another user without knowing their plaintext password. But they work on completely different protocols, hit different defenses, and fail in different ways. This guide covers how each attack actually works under the hood, when to reach for one vs the other, how defenders detect them, and how red teamers stay ahead of detection. ...

July 10, 2026 · 9 min · Red Team Guide