What is DCSync?

DCSync is a technique used to request the passwords of any user from a domain controller through the replication protocol (DRSUAPI). This requires DS-Replication-Get-Changes-All and DS-Replication-Get-Changes permissions on the domain object, so this technique is usually used once privileges have already been lifted in the Active Directory.

One of the most common uses of this attack is to obtain the KRBTGT account passwords for Golden Tickets forging, which serves as a persistence mechanism at the user privilege level.

Normally, this type of synchronisation operation is only performed between a small set of systems (mainly domain controllers), so one of the most common ways to detect it is by analysing the source of the connection.

Cybersecurity articles related to DCSync

Tarlogic’s website features a number of technical articles on cybersecurity that are related to DCSync.

• Kerberos (I): How does Kerberos work? – Theory
• Kerberos (II): How to attack Kerberos?
• Kerberos (III): How does delegation work?
• N-day exploit: Kerberos EoP in Linux environments
• Kerberos tickets: Comprehension and exploitation