Skip to main content
Support

DCSync

Replicate Credentials from Domain Controller

Abuse AD replication protocol to request any user's password hash from a domain controller — including the KRBTGT account hash for Golden Ticket attacks.

Advanced~5 minT1003.006
Prerequisites:Account with DS-Replication-Get-Changes-All rightsTypically: Domain Admin, Enterprise Admin, or compromised DCNetwork access to domain controller (TCP 135, 49152+)
1

Verify Replication Privileges

DCSync — Step 1/3
PS C:\Tools>

Click or press Enter to skip

Step 1: Check Who Can Replicate

Enumerate which principals have the replication extended rights on the domain object. These rights allow requesting password data via the replication protocol.

We are checking which accounts are allowed to "replicate" data from the domain controller. Domain Admins can do this by default. If an attacker grants this right to their own account, they can pull passwords at will.

Detection Events
4662Directory service access (ACL enumeration)
Attack Flow
Check ACLs
Attacker(Repl Rights)
DC01(NTDS.dit)
KRBTGTHash
Request
Response
Attack
Data
Back to all scenarios
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org