How can I mitigate DCSync attacks on Active Directory?

DCSync is a tool within Mimikatz that allows you (assuming you have the rights) to impersonate a Domain Controller and request a sync from a live Domain Controller (effectively taking a full copy of the Active Directory database, including all password hashes).

The DCSync exploit is well documented HERE.

Normally, DCSync attacks are performed after you have elevated (Domain Admin) access, becuase the permissions required for DCSync to work are normally restricted.  However, if your root-level domain permissions aren’t correctly set, you may inadvertently be highly vulnerable without even realising it, and checking those permissions is what this post is about.

Specifically, we need to audit who has the DS-Replication-Get-Changes-All rights on the root of the domain, and just to be safe, we should check the Domain Controllers OU as well.  A full list of extended rights can be found on the Microsoft website, HERE, which lists the object GUIDs (which is what you are actually checking for in the script below)

The default users/groups with permission to replicate secret domain data (aka password hashes) are:

  • BUILTIN\Administrator
  • Domain Controllers


You could check this from Active Directory Users and Computers.  You’re looking for any identity with this box ticked:


I prefer the faster (with potential to automate) PowerShell method.

The script below finds all identities with DS-Replication-Get-Changes-All rights.  You could have this run this as a scheduled task for a periodic review and quickly see if anyone has inadvertently been given these excessive permissions. You could  modify the script to review for any other potentially dangerous extended rights permissions, too.

After running the script, the variable $userswithextendedrights shows who has the permission set.  If you see something like in the results below, then you have a massive security hole:



Leave a Reply

Your email address will not be published. Required fields are marked *