This abuse can be carried out when controlling an object that has WriteDacl over any object.
The attacker can write a new ACE to the target object’s DACL (Discretionary Access Control List). This can give the attacker full control of the target object. This can be achieved with Add-DomainObjectAcl (PowerView module).
For instance, this ACE can be abused to grant GenericAll rights over the compromised object.
Add-DomainObjectAcl -TargetIdentity "target_object" -PrincipalIdentity "controlled_object" -Rights All
The same process can be applied to allow an object to DCSync (with -Rights DCSync) even though GenericAll includes all ExtendedRights, hence the three extended rights needed for DCSync to work (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All)
Pro tip for UNIX-like users, ntlmrelayx has the ability to operate that abuse with the --escalate-user option (see this).
A few tests showed the Add-DomainObjectAcl command needed to be run with the -Credential and -Domain options in order to work
When an object has WriteDacl over the Domain object, it is possible to operate DCSync. Exchange Servers used to have this right, allowing attackers to conduct a PrivExchange attack (see the PushSubscription abuse, and the NTLM relay attack using Impacket's ntlmrelayx and the --escalate-user option)
Abusing Active Directory Permissions with PowerView - harmj0y
DCSync: Dump Password Hashes from Domain Controller