1. Home
  2. ATT&CK Techniques
  3. T1003.006 DCSync

T1003.006 DCSync

Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.

Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticket(Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in Account Manipulation.(Citation: InsiderThreat ChangeNTLM July 2017)

DCSync functionality has been included in the "lsadump" module in Mimikatz.(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.AA-05.02 Privileged system access Mitigates T1003.006 DCSync
Comments
This diagnostic statement protects against DCSync through the use of privileged account management and the use of multi-factor authentication.
References
    DE.CM-06.02 Third-party access monitoring Mitigates T1003.006 DCSync
    Comments
    This diagnostic statement protects against DCSync through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
    References
      PR.AA-01.01 Identity and credential management Mitigates T1003.006 DCSync
      Comments
      This diagnostic statement protects against DCSync through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
      References

        NIST 800-53 Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        CA-07 Continuous Monitoring mitigates T1003.006 DCSync
        CM-06 Configuration Settings mitigates T1003.006 DCSync
        CM-05 Access Restrictions for Change mitigates T1003.006 DCSync
        IA-05 Authenticator Management mitigates T1003.006 DCSync
        IA-04 Identifier Management mitigates T1003.006 DCSync
        SC-28 Protection of Information at Rest mitigates T1003.006 DCSync
        SC-39 Process Isolation mitigates T1003.006 DCSync
        SI-03 Malicious Code Protection mitigates T1003.006 DCSync
        CM-02 Baseline Configuration mitigates T1003.006 DCSync
        IA-02 Identification and Authentication (Organizational Users) mitigates T1003.006 DCSync
        SI-04 System Monitoring mitigates T1003.006 DCSync
        AC-02 Account Management mitigates T1003.006 DCSync
        AC-03 Access Enforcement mitigates T1003.006 DCSync
        AC-04 Information Flow Enforcement mitigates T1003.006 DCSync
        AC-05 Separation of Duties mitigates T1003.006 DCSync
        AC-06 Least Privilege mitigates T1003.006 DCSync