Skip to main content
Support
AdvancedT1003.006

DCSync Attack

DCSync tricks a Domain Controller into sharing all password hashes by impersonating the replication process — no malware on the DC required.

Domain Controllers regularly share (replicate) data with each other to stay in sync. This includes password hashes for every user in the domain. An attacker who gains the right permissions can pretend to be a Domain Controller and ask a real DC to send it all the password data. This is called DCSync. The attacker does not need to log into the Domain Controller or install malware on it — they make a legitimate-looking request over the network, and the DC happily sends every password hash in the domain, including the Domain Admin and KRBTGT accounts. With these hashes, the attacker has complete control.

Imagine a bank with multiple branches. Branch managers regularly share employee records so every branch has up-to-date info. DCSync is like a criminal setting up a fake branch office and calling headquarters: "Hi, I'm the new branch — please send me all employee records including their PINs." Headquarters checks if the caller is authorized and, if they have the right permissions, sends everything. The criminal never had to break into the vault; they just asked politely and the system complied.

DCSync Simulator

Walk through this attack step-by-step in an interactive terminal

Key Takeaways

  1. DCSync replicates password hashes remotely — no malware on the DC needed.
  2. Only 3 permissions are required: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All.
  3. Extracting the KRBTGT hash enables Golden Ticket attacks for persistent access.
  4. Event ID 4662 with replication GUIDs from non-DC accounts is the primary detection signal.
  5. Audit who holds replication rights: (Get-Acl "AD:\DC=corp,DC=local").Access | Where ObjectType matches 1131f6a*.
Why Should I Care?

DCSync is often the final step before total domain compromise. With a single command, an attacker extracts every password hash in the domain, enabling Golden Ticket creation and indefinite persistence.

Defense Recommendations

Restrict replication rights to Domain Controllers only, monitor Event ID 4662, and deploy Advanced Threat Analytics or Defender for Identity.

  1. 1Audit replication permissions: Get-ObjectAcl -DistinguishedName "DC=corp,DC=local" -ResolveGUIDs | Where ObjectAceType -match "DS-Replication".
  2. 2Remove replication rights from any non-DC account that does not absolutely require them.
  3. 3Enable advanced auditing: Set-GPRegistryValue for "Audit Directory Service Access" on Domain Controllers.
  4. 4Deploy Microsoft Defender for Identity (or formerly ATA) for real-time DCSync detection.
  5. 5Monitor Event ID 4662 where the Properties contain {1131f6aa-*} or {1131f6ad-*} and SubjectUserName is not a DC.
  6. 6Segment the network so only DCs can communicate with each other on RPC replication ports.

Related Topics

Pass-the-Hash & Pass-the-TicketGolden & Silver Ticket AttacksAD Persistence TechniquesHybrid Identity & Azure AD Connect
Sources
Kerberos Delegation Abuse
AD CS Abuse (Certificate Attacks)
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org