What is DCSync and how does it relate to the Exchange ACL escalation?

**DCSync** is a **Mimikatz** technique that simulates a domain controller replication request to export password hashes for all domain users. Once an attacker gains **WriteDACL** on the domain object via an Exchange group, they can add an ACE granting **DCSync** rights to a controlled user, then run `lsadump::dcsync` to extract the kerbtgt hash. This hash enables a **Golden Ticket** attack for persistent domain admin access.