How can an attacker use a low-privilege user with DCSync rights to export domain hashes without interactive logon?
Using PowerShell, the attacker can start a process as the low-privilege user with Start-Process and -Credential, then execute mimikatz commands to dump hashes. Alternatively, runas with a batch file can run DCSync in the background, exporting results to a text file.
---
**Related reading:**
- Domain Penetration - DCSync — original article
- Webmin<=1.920-Unauthenticated_RCE(CVE-2019-15107) Exploitation Test
- Use powershell to find a writable windows service
- Windows Shellcode Study Notes - Extraction and Testing of Shellcode
---
**Related reading:**
- Domain Penetration - DCSync — original article
- Webmin<=1.920-Unauthenticated_RCE(CVE-2019-15107) Exploitation Test
- Use powershell to find a writable windows service
- Windows Shellcode Study Notes - Extraction and Testing of Shellcode
DCSyncmimikatzrunasPowerShellcredential delegation
Source:Domain Penetration - DCSync