cybersecurity Glossary

What is DCSync?

DCSync is a technique used to request the passwords of any user from a domain controller through the replication protocol (DRSUAPI). This requires DS-Replication-Get-Changes-All and DS-Replication-Get-Changes permissions on the domain object, so this technique is usually used once privileges have already been lifted in the Active Directory.

One of the most common uses of this attack is to obtain the KRBTGT account passwords for Golden Tickets forging, which serves as a persistence mechanism at the user privilege level.

Normally, this type of synchronisation operation is only performed between a small set of systems (mainly domain controllers), so one of the most common ways to detect it is by analysing the source of the connection.