DCSync Attack

DCSync abuses the AD replication protocol (MS-DRSR). By pretending to be a Domain Controller and requesting replication, an attacker with sufficient privileges can pull NT hashes for ALL domain accounts - without logging into the DC or running code on it.