DCSync
Abuse DRS GetNCChanges replication API (DS-Replication-Get-Changes-All) to pull credentials from a DC.
§ Where this technique fits
T1003.006 is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 13 approved dossiers in the registry, typically at step 5.6 on average.
Authoritative reference: attack.mitre.org/techniques/T1003/006/.
§ Dossiers chaining this technique
- step 2 / 6
Cross-trust attack: child → parent forest via SID History
Forge an inter-realm TGT using a child domain's krbtgt and inject Enterprise Admins SID into SID History to traverse a non-quarantined trust.
- step 3 / 5
ZeroLogon (CVE-2020-1472) → Domain takeover
Unauthenticated attacker abuses the Netlogon AES-CFB8 flaw to reset a DC's machine account password to empty, dumps secrets, and restores the original password.
- step 5 / 5
GenericWrite on Domain Admins → AddMember → DA
A misconfigured 'member' attribute write on a privileged group lets the attacker silently add themselves as a Domain Admin.
- step 5 / 5
BadSuccessor (DMSA, 2025) → instant Domain Admin
Server 2025's Delegated Managed Service Accounts inherit the powers of any account listed in msDS-ManagedAccountPrecededByLink — letting an OU-admin escalate to DA without any patch chain.
- step 5 / 5
ADCS ESC1 → Domain Admin
A low-priv domain user discovers a certificate template that lets enrollees supply an arbitrary subjectAltName, enrolls a cert as Administrator, and authenticates via PKINIT.
- step 6 / 6
ProxyLogon → webshell on Exchange → DA
Unauth SSRF + auth bypass against on-prem Exchange (CAS) — write a webshell as SYSTEM on the Exchange server, dump LSASS for cached domain creds, pivot to DA.
- step 6 / 6
ProxyShell → SYSTEM on Exchange → DA
Pre-auth ProxyShell chain (path confusion + EWS email-to-PowerShell + arbitrary file write) deploys a webshell as SYSTEM. Same post-exploitation as ProxyLogon.
- step 6 / 6
PetitPotam + ADCS ESC8 → Domain Controller takeover
Coerce a DC's machine account to authenticate to the attacker, relay that NTLM to the ADCS HTTP web-enrollment endpoint, and obtain a DC certificate for full domain compromise.
- step 6 / 6
ADCS ESC11 → certificate via RPC (no web enrollment)
When the CA's ICertPassage RPC interface allows NTLM without signing, relay any coerced auth directly to RPC and obtain a cert — bypasses HTTP-only mitigations.
- step 7 / 7
mitm6 IPv6 SLAAC → NTLM relay → DA
Even when IPv4 is hardened, Windows clients prefer IPv6 with default DHCPv6. mitm6 makes the attacker the IPv6 DNS server, advertises wpad, and relays the captured NTLM to LDAPS for RBCD.
- step 7 / 7
noPac / sAMAccountName spoofing → Domain Admin
Combine CVE-2021-42278 (sAMAccountName validation) and CVE-2021-42287 (PAC confusion) to impersonate a DC as a low-priv user.
- step 7 / 7
Unconstrained delegation → Capture DC TGT → DCSync
Compromise a host with TRUSTED_FOR_DELEGATION, coerce a DC to authenticate to it, harvest the DC's TGT from its LSASS, then DCSync.
- step 8 / 8
No creds → Domain Admin via LLMNR poisoning and NTLM relay
Unauthenticated attacker on the LAN poisons name resolution, relays the captured NetNTLMv2 to a host with SMB signing disabled, then escalates to Domain Admin.
§ What commonly comes next
- 01Domain Trust Discoveryseen 1×T1482 · Discovery
- 02ZeroLogon (CVE-2020-1472)seen 1×AD-ZL · Privilege Escalation