T1003.006: DCSync
| View on MITRE ATT&CK | T1003.006 |
|---|---|
| Tactic(s) | Credential Access |
Data from MITRE ATT&CK®:
Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticket(Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in Account Manipulation.(Citation: InsiderThreat ChangeNTLM July 2017)
DCSync functionality has been included in the "lsadump" module in Mimikatz.(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Password Policies
Set and enforce secure password policies for accounts.Active Directory Configuration
Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.How to detect this technique
MITRE ATT&CK Data Components
Network Traffic Flow (Network Traffic)
Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)Active Directory Object Access (Active Directory)
Opening of an active directory object, typically to collect/read its value (ex: Windows EID 4661)Network Traffic Content (Network Traffic)
Logged network traffic data showing both protocol header and body values (ex: PCAP)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Sigma Detections for this Technique
Mimikatz Use
Credential Dumping Tools Service Execution - System
Mimikatz DC Sync
Credential Dumping Tools Service Execution - Security
Suspicious Get-ADReplAccount
HackTool - Mimikatz Execution
Active Directory Replication from Non Machine Account
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.