How can an attacker execute DCSync from a domain-joined host that is not a domain controller?

The attacker first obtains a high-privilege ticket—either by generating a Golden ticket with the krbtgt hash using Mimikatz or by using Rubeus to request a TGT for a privileged user. After importing the ticket with SharpTGTImporter, they run SharpDCSync to export hashes. Alternatively, Mimikatz itself can perform DCSync after ticket import or Over pass the hash. For related privilege escalation tactics, see Domain Penetration - Obtaining DNS Records with Regular User Privileges and Domain Penetration - Using Specific ACLs in Exchange Server for Domain Privilege Escalation.