DCSync

Information

Includes the following rights:

• GetChanges → internal/technical permission name used in APIs and LDAP.

• Replication-Directory-Changes → friendly display name for the same permission.

1. Replication-Get-Changes / GetChanges

2. Replication-Directory-Changes-All / GetChangesAll

3. Replication-Directory-Changes-In-Filtered-Set / GetChangesInFilteredSet (not always)

Default setting: Domain Admins, Enterprise Admins, Administrators, and Domain Controllers.

Exploitation

PowerView

Enumerate rights:

Get-ObjectAcl -DistinguishedName "dc=x7331,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'WriteDacl')}

Impacket