Which technique simulates domain controller behavior to retrieve passwords?

The concept being tested is using the domain controller’s replication mechanism to steal credentials. DCSync works by abusing the Directory Replication Service (DRS) protocol to request and obtain password-related data from a domain controller as if you were another domain controller that normally receives those secrets. With the right privileges, an attacker can pull password hashes (including NTLM and Kerberos material) and related keys without logging on to user accounts. This makes DCSync a direct method to simulate DC behavior and extract credentials, which is why it’s the correct choice. DCShadow also involves impersonating a domain controller, but its main aim is to insert or alter data by manipulating replication, not primarily to retrieve password data. Code Injection covers injecting code into processes to harvest secrets, not replicating DC data. Network Attack Protection is a defensive feature, not an attack technique.