How can an attacker maintain persistence in a domain using DCSync without being in high-privilege groups?

Question

How can an attacker maintain persistence in a domain using DCSync without being in high-privilege groups?

Accepted Answer

An attacker with Domain Admin privileges can add three specific ACEs (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, and DS-Replication-Get-Changes with a different GUID) to a regular user account using PowerShell tools like PowerView. This grants that user DCSync rights, creating a "Shadow Admin" that can export all domain hashes unnoticed.

How can an attacker maintain persistence in a domain using DCSync without being in high-privilege groups?

Explore More Q&A