T1003.006 DCSync Mappings

Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.

Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticket(Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in Account Manipulation.(Citation: InsiderThreat ChangeNTLM July 2017)

DCSync functionality has been included in the "lsadump" module in Mimikatz.(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1003.006 DCSync
AC-3 Access Enforcement Protects T1003.006 DCSync
AC-4 Information Flow Enforcement Protects T1003.006 DCSync
AC-5 Separation of Duties Protects T1003.006 DCSync
AC-6 Least Privilege Protects T1003.006 DCSync
CA-7 Continuous Monitoring Protects T1003.006 DCSync
CM-2 Baseline Configuration Protects T1003.006 DCSync
CM-5 Access Restrictions for Change Protects T1003.006 DCSync
CM-6 Configuration Settings Protects T1003.006 DCSync
IA-2 Identification and Authentication (organizational Users) Protects T1003.006 DCSync
IA-4 Identifier Management Protects T1003.006 DCSync
IA-5 Authenticator Management Protects T1003.006 DCSync
SC-28 Protection of Information at Rest Protects T1003.006 DCSync
SC-39 Process Isolation Protects T1003.006 DCSync
SI-3 Malicious Code Protection Protects T1003.006 DCSync
SI-4 System Monitoring Protects T1003.006 DCSync
action.malware.variety.Capture stored data Capture data stored on system disk related-to T1003.006 OS Credential Dumping: DCSync
action.malware.variety.Export data Export data to another site or system related-to T1003.006 OS Credential Dumping: DCSync
action.malware.variety.Password dumper Password dumper (extract credential hashes) related-to T1003.006 OS Credential Dumping: DCSync