How can an attacker maintain domain persistence by adding DCSync rights to a regular user?
An attacker with Domain Admin or Enterprise Admin privileges can add three specific ACEs (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, and another replication GUID) to a regular user's ACL. This grants the user DCSync rights, allowing them to export all domain hashes and persist as a 'Shadow Admin'.
---
**Related reading:**
- Domain Penetration - DCSync — original article
- Webmin<=1.920-Unauthenticated_RCE(CVE-2019-15107) Exploitation Test
- Use powershell to find a writable windows service
- Windows Shellcode Study Notes - Extraction and Testing of Shellcode
---
**Related reading:**
- Domain Penetration - DCSync — original article
- Webmin<=1.920-Unauthenticated_RCE(CVE-2019-15107) Exploitation Test
- Use powershell to find a writable windows service
- Windows Shellcode Study Notes - Extraction and Testing of Shellcode
DCSyncpersistenceACEShadow AdminACL
Source:Domain Penetration - DCSync