What protocol does DCSync exploit to replicate credentials?
DCSync exploits the Directory Replication Service (DRS) protocol, specifically the IDL_DRSGetNCChanges method, to request replication of user credentials from a domain controller. This protocol is normally used by domain controllers to synchronize directory information.
---
**Related reading:**
- Domain Penetration - DCSync — original article
- An interesting way of bypassing Windows Attachment Manager
- Penetration Techniques - Exploitation of Nine Windows Privileges
- Penetration Techniques - Pass the Hash with Remote Desktop (Restricted Admin Mode)
---
**Related reading:**
- Domain Penetration - DCSync — original article
- An interesting way of bypassing Windows Attachment Manager
- Penetration Techniques - Exploitation of Nine Windows Privileges
- Penetration Techniques - Pass the Hash with Remote Desktop (Restricted Admin Mode)
DCSync protocolDRSIDL_DRSGetNCChangescredential replicationActive Directory
Source:Domain Penetration - DCSync