Last updated: April 29, 2026
Why this module exists. DCSync is the technique that lets an attacker dump every credential in your domain — without ever touching a domain controller’s filesystem. It’s not an exploit; it’s a feature being abused. Most AD environments have multiple non-DC accounts that can DCSync, and most defenders don’t know who.
The mechanic
Active Directory replicates between domain controllers using the DRSUAPI protocol. The DRSGetNCChanges RPC call asks for “all changes since version X” — including password hashes. The protocol is authenticated; specific entitlements are required:
- Replicating Directory Changes (DS-Replication-Get-Changes)
- Replicating Directory Changes All (DS-Replication-Get-Changes-All)
By default these are granted to: Domain Controllers, Domain Admins, Enterprise Admins, Administrators. By design. The vulnerability is when other principals get the same entitlement — accidentally, via nested groups, or via misconfigured ACLs.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.