Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticket(Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in Account Manipulation.(Citation: InsiderThreat ChangeNTLM July 2017)
DCSync functionality has been included in the "lsadump" module in Mimikatz.(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1003.006 | DCSync | |
| AC-3 | Access Enforcement | Protects | T1003.006 | DCSync | |
| AC-4 | Information Flow Enforcement | Protects | T1003.006 | DCSync | |
| AC-5 | Separation of Duties | Protects | T1003.006 | DCSync | |
| AC-6 | Least Privilege | Protects | T1003.006 | DCSync | |
| CA-7 | Continuous Monitoring | Protects | T1003.006 | DCSync | |
| CM-2 | Baseline Configuration | Protects | T1003.006 | DCSync | |
| CM-5 | Access Restrictions for Change | Protects | T1003.006 | DCSync | |
| CM-6 | Configuration Settings | Protects | T1003.006 | DCSync | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1003.006 | DCSync | |
| IA-4 | Identifier Management | Protects | T1003.006 | DCSync | |
| IA-5 | Authenticator Management | Protects | T1003.006 | DCSync | |
| SC-28 | Protection of Information at Rest | Protects | T1003.006 | DCSync | |
| SC-39 | Process Isolation | Protects | T1003.006 | DCSync | |
| SI-3 | Malicious Code Protection | Protects | T1003.006 | DCSync | |
| SI-4 | System Monitoring | Protects | T1003.006 | DCSync |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| microsoft_defender_for_identity | Microsoft Defender for Identity | technique_scores | T1003.006 | DCSync |
Comments
This control's "Suspected DCSync attack (replication of directory services) (external ID 2006)" alert can detect DCSync attacks. The false positive rate should be low due to the identity of domain controllers on the network changing infrequently and therefore replication requests received from non-domain controllers should be a red flag.
References
|