What permissions are required to perform a DCSync attack to export all domain user hashes?

You need permissions for any of the following: Administrators group, Domain Admins, Enterprise Admins, or the computer account of a domain controller. DCSync exploits the Directory Replication Service (DRS) protocol, which demands these high privileges. For a full breakdown, see the Domain Penetration - Method to Export All Domain User Hashes Using DCSync article.