Active Directory

DCSync

An attack technique that abuses the Directory Replication Service (DRS) Remote Protocol to request password hashes for any account in Active Directory, simulating a domain controller.

DCSync exploits accounts that hold the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All extended rights. These rights are legitimately required by domain controllers and by the Azure AD Connect MSOL_ account. An attacker who compromises any account with these rights can request password hashes for every user in the domain — including the KRBTGT account, enabling Golden Ticket attacks — without needing local admin on a domain controller.

DCSync is implemented in tools such as Mimikatz (lsadump::dcsync) and Impacket (secretsdump.py). Detection relies on monitoring Directory Replication Service requests from non-domain-controller sources — Microsoft Defender for Identity provides a built-in detection.

Mitigation: restrict the replication rights to only the AAD Connect service account and the domain controllers themselves; audit and alert on anomalous DRS requests.

← Back to Glossary