# DCSync The concept of DCSync is that it impersonates a Domain Controller to request all the hashes of the users in the domain. Yes. This means as long as you have permissions, you do not need to run any commands on the Domain Controller the need to compromise the DC is not necessary as this one is usually quite difficult For this to work, it is important to have proper permissions to pull hashes from a Domain Controller. Generally limited to the Domain Admins, Enterprise Admins, Domain Controller Groups, and anyone with the Replicating Changes permissions set to Allow (i.e. Replicating Changes All/Replicating Directory Changes), DCSync will allow your user to perform this attack with the use of mimikatz. **What's the risk?** Well if a user can impersonate a Domain Controller and request for all the domain user's passwords, that is enough risk. **Attack** We can enumerate a user with these permission with powerview by using the Get-ObjectACL CMDLET **Get-ObjectAcl -Identity "dc=dominioncyber,dc=local" -ResolveGUIDs | ? {$\_.SecurityIdentifier -match "S-1-5-21-1827981533-2463545078-1305764163-1120"}** ![](/files/-MWuKEfD0Bh7SmnK2Qop) ![](/files/-MWuKFNEYNVUAmTgIDXP) Above, when locating these 2 objects DCSync is allowed for the user. This is as simple as running DCSync \ on Covenant and grabbing the hashes for the krbtgt user. It also has a sample on what command is being executed when utilizing mimikatz ![](/files/-MWuKGRJKzor3xsgEn-K) And we can do this for any user of our choosing in the entire Domain Jwick ![](/files/-MWuKHJTV1qvSqH4cb0t) Understanding this technique and exploiting is valuable as this can provide persistence with the highest privileges on the Domain and can be also used to initiate other techniques such as Golden/Silver Tickets. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/active-directory/active-directory-attacks/dcsync.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.