How can an attacker maintain persistence using DCSync without being a Domain Admin?
An attacker can grant DCSync rights to a regular domain user by adding specific Access Control Entries (ACEs) to the domain object using tools like PowerView. The required ACEs are DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, and DS-Replication-Get-Changes (with a specific GUID). This 'Shadow Admin' can then export all domain hashes without being a member of high-privilege groups.
---
**Related reading:**
- Domain Penetration - DCSync — original article
- An interesting way of bypassing Windows Attachment Manager
- Penetration Techniques - Exploitation of Nine Windows Privileges
- Penetration Techniques - Pass the Hash with Remote Desktop (Restricted Admin Mode)
---
**Related reading:**
- Domain Penetration - DCSync — original article
- An interesting way of bypassing Windows Attachment Manager
- Penetration Techniques - Exploitation of Nine Windows Privileges
- Penetration Techniques - Pass the Hash with Remote Desktop (Restricted Admin Mode)
DCSync persistenceShadow AdminACEsPowerViewActive Directory ACL
Source:Domain Penetration - DCSync