DCSync abuses the Directory Replication Service Remote Protocol (DRSUAPI) to simulate the behaviour of a domain controller requesting password data from another DC. Any account with the DS-Replication-Get-Changes-All privilege can pull every credential in the domain — NTLM hashes, Kerberos keys, the KRBTGT hash — without ever touching a domain controller's disk or executing code on any DC.
Required Privileges
By default, only Domain Admins, Enterprise Admins, and Domain Controllers have the necessary replication rights. However, we regularly find other accounts with these privileges — service accounts for backup solutions, DirSync for Azure AD Connect, and accounts given replication rights years ago for a project that no longer exists.
# Check who has DCSync rights (PowerShell)
$acl = Get-Acl "AD:\DC=domain,DC=com"
$acl.Access | Where-Object {
$_.ActiveDirectoryRights -match "DS-Replication-Get-Changes" -and
$_.AccessControlType -eq "Allow"
}Executing the Attack
# secretsdump.py — dumps all domain hashes
python3 secretsdump.py DOMAIN/user:password@dc-ip -just-dc
# Mimikatz
lsadump::dcsync /domain:domain.local /all /csvDetection
Event ID 4662 (An operation was performed on an object) with specific GUID values corresponding to replication rights is the primary detection signal. Alert on accounts that are not domain controllers performing replication operations. This is one of the more reliably detectable techniques when SIEM rules are correctly written.
Defence
Audit replication privileges quarterly. Remove any account that isn't a domain controller from the DS-Replication-Get-Changes-All permission on the domain partition. For Azure AD Connect, ensure the sync account uses the minimum permissions required — not Domain Admin.