Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticket(Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in Account Manipulation.(Citation: InsiderThreat ChangeNTLM July 2017)
DCSync functionality has been included in the "lsadump" module in Mimikatz.(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-02 | Account Management | Protects | T1003.006 | DCSync | |
| AC-03 | Access Enforcement | Protects | T1003.006 | DCSync | |
| AC-04 | Information Flow Enforcement | Protects | T1003.006 | DCSync | |
| AC-05 | Separation of Duties | Protects | T1003.006 | DCSync | |
| AC-06 | Least Privilege | Protects | T1003.006 | DCSync | |
| CA-07 | Continuous Monitoring | Protects | T1003.006 | DCSync | |
| CM-02 | Baseline Configuration | Protects | T1003.006 | DCSync | |
| CM-05 | Access Restrictions for Change | Protects | T1003.006 | DCSync | |
| CM-06 | Configuration Settings | Protects | T1003.006 | DCSync | |
| IA-02 | Identification and Authentication (organizational Users) | Protects | T1003.006 | DCSync | |
| IA-04 | Identifier Management | Protects | T1003.006 | DCSync | |
| IA-05 | Authenticator Management | Protects | T1003.006 | DCSync | |
| SC-28 | Protection of Information at Rest | Protects | T1003.006 | DCSync | |
| SC-39 | Process Isolation | Protects | T1003.006 | DCSync | |
| SI-03 | Malicious Code Protection | Protects | T1003.006 | DCSync | |
| SI-04 | System Monitoring | Protects | T1003.006 | DCSync |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DEF-SECA-E3 | Security Alerts | Technique Scores | T1003.006 | DCSync |
Comments
Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.
Defender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:
Reconnaissance and discovery alerts
Persistence and privilege escalation alerts
Credential access alerts
Lateral movement alerts
Other alerts
License: A Microsoft 365 security product license entitles customer use
of Microsoft Defender XDR.
References
|