# DCSync Adversaries may attempt to access credentials and other sensitive information abusing a Windows Domain Controller's application programming interface (API) to simulate process from a remote domain controller using a technique called DCSync. Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data from Active Directory, which may include current and historical hashes potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticketor change an account's password as noted in Account Manipulation. DCSync functionality has been included in the "lsadump" module in mimikatz. Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. **Example** DCSync an incredible technique that allows us to impersonate a DC (That is correct, impersonate!!) and request for the hashes of the DC. This technique is an attack that allows to simulate the behavior of the Domain Controller (DC) in order to retrieve password data via domain replication. Utilizing the Microsoft Directory Replication Service Remote Protocol (MS-DRSR) to simulate the behavior of a DC the attack take's advantage of valid and necessary functions of Active Directory, which cannot be turned off or disabled. **DCSyncer** A tool built around mimikatz it applies the proper parameters and needed information to execute everything automatically it will dump the hashes for all user's no single hash supported, we need Domain Admins or a user with Replicating Directory Changes and Replicate Directory Changes All once these requirements are met we can achieve this attack, the tool is simple to execute and will do everything automatic. ![](/files/-MRkmySyXbnoTZUDBMgp) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/credential-access/t1003-os-credential-dumping/dcsync.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.