What are some practical methods to execute DCSync from a domain-joined machine as a low-privileged user that has been given DCSync rights?

Question

What are some practical methods to execute DCSync from a domain-joined machine as a low-privileged user that has been given DCSync rights?

Accepted Answer

The user can run mimikatz directly if logged in, or use `runas` or PowerShell's `Start-Process` with credentials to execute a batch file containing the DCSync command. For example: `mimikatz.exe privilege::debug "lsadump::dcsync /domain:test.com /user:administrator /csv"`. Note that wmic cannot be used locally with alternate credentials. Refer to Domain Penetration - Method to Export All Domain User Hashes Using DCSync for more.

What are some practical methods to execute DCSync from a domain-joined machine as a low-privileged user that has been given DCSync rights?

Explore More Q&A