DCSync is a powerful attack technique that allows adversaries to simulate the behavior of a Domain Controller (DC) and request password hashes from other DCs. Rather than dumping credentials from memory like traditional Mimikatz attacks, DCSync abuses legitimate Active Directory replication mechanisms. This makes it incredibly stealthy and potent in post-exploitation scenarios. For red teamers, DCSync provides a pathway to full domain compromise without touching LSASS, making it a critical tool for persistence and lateral dominance in mature Windows enterprise networks.

What is DCSync?

DCSync is a method where a compromised account with specific privileges (typically Replicating Directory Changes and Replicating Directory Changes All) queries a DC as if it were another DC, requesting directory data—including password hashes for users, domain admins, and KRBTGT accounts.

This leverages the Directory Replication Service Remote Protocol (DRSR) used by DCs for replicating directory data. Tools like Mimikatz utilize MS-DRSR to send crafted IDL_DRSCrackNames and IDL_DRSGetNCChanges RPC calls to pull credential material.