Gaining access to domain admin credentials is part of the endgame in many sophisticated attacks where threat actors are trying to maintain persistence. One of the ways that adversaries accomplish this is through DCSync attacks.
What is a DCSync attack?
A DCSync attack is a method where threat actors run processes that behave like a domain controller and use the Directory Replication Service (DRS) remote protocol to replicate AD information. The attack enables them to steal password hashes from real domain controllers, which they can later crack.
Performing the attack requires the attacker to have already compromised a user with the proper “Replicating Directory Changes” privileges for the target domain. Usually, attackers seek out accounts that are granted the Replicating Directory Changes All privilege, as this allows replicating the passwords of any domain account.