Description
Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticket(Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in Account Manipulation.(Citation: InsiderThreat ChangeNTLM July 2017)
DCSync functionality has been included in the "lsadump" module in Mimikatz.(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)
Mimikatz Tutorial
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (3)
Password PoliciesM1027
Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
Active Directory ConfigurationM1015
Manage the access control list for "Replicating Directory Changes" and other permissions associated with domain controller replication.(Citation: ADSecurity Mimikatz DCSync)(Citation: Microsoft Replication ACL)
Privileged Account ManagementM1026
Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G1006 | Earth Lusca | [Earth Lusca](https://attack.mitre.org/groups/G1006) has used a <code>DCSync</code> command with [Mimikatz](https://attack.mitre.org/software/S0002) t... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has leveraged [Mimikatz](https://attack.mitre.org/software/S0002) DCSync feature to obtain user... |
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has utilized DCSync to extract credentials from victims.(Citation: Microsoft Storm-0501 Embargo Ra... |
| G1004 | LAPSUS$ | [LAPSUS$](https://attack.mitre.org/groups/G1004) has used DCSync attacks to gather credentials for privilege escalation routines.(Citation: MSTIC DEV-... |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0002 | Mimikatz | Tool | [Mimikatz](https://attack.mitre.org/software/S0002) performs credential dumping to obtain account and password information useful in gaining access to... |
Related CWE Weaknesses
References
- Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved August 7, 2017.
- Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved August 7, 2017.
- Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017.
- Microsoft. (2017, December 1). MS-DRSR Directory Replication Service (DRS) Remote Protocol. Retrieved December 4, 2017.
- Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol. Retrieved December 6, 2017.
- Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December 4, 2017.
- Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.
- SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
- Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved December 4, 2017.
- Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved September 23, 2024.
Frequently Asked Questions
What is T1003.006 (DCSync)?
T1003.006 is a MITRE ATT&CK technique named 'DCSync'. It belongs to the Credential Access tactic(s). Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citat...
How can T1003.006 be detected?
Detection of T1003.006 (DCSync) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1003.006?
There are 3 documented mitigations for T1003.006. Key mitigations include: Password Policies, Active Directory Configuration, Privileged Account Management.
Which threat groups use T1003.006?
Known threat groups using T1003.006 include: Earth Lusca, Mustang Panda, Storm-0501, LAPSUS$.