8 thoughts on “Extracting User Password Data with Mimikatz DCSync

  1. Good evening sir,
    I thank you so much for this article. I just have a small question. I couldn’t find the window allowing me to activate “Replicating Changes All” and “Replicating Directory Changes”. Could you please tell me how to do it?
    Best regards.

    1. Those are special permissions that can be applied at the domain level. To see them, open up Active Directory Users & Computers and go the properties of one of your top level domains, from there go to the security tab and you should be able to see those options in the list of permissions. This will not appear on OUs or other objects, so be sure to look at the domain level (jefflab.local in my case).

    1. The special permissions I was referring to are the ‘Replicating Directory Changes’ and ‘Replicating Directory Changes All’. These are ‘special’ in that they cannot be applied on any object and just at the domain level, and are required for DCSync to work. That makes this particular attack interesting because a user could be granted these permissions separate from any membership in privileged groups and still be able to perform the DCSync attack.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.