EXPLORE

← Back to Explore

T1003.006

DCSync

Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync. Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain c...

Windows

14

Detections

3

Sources

4

Threat Actors

BY SOURCE

7sigma4elastic3splunk_escu

PROCEDURES (10)

Service3 detections

Auto-extracted: 3 detections for service

Dcsync2 detections

Auto-extracted: 2 detections for dcsync

Privilege2 detections

Auto-extracted: 2 detections for privilege

Mimikatz1 detections

Auto-extracted: 1 detections for mimikatz

Dcsync1 detections

Auto-extracted: 1 detections for dcsync

Powershell1 detections

Auto-extracted: 1 detections for powershell

Powershell1 detections

Auto-extracted: 1 detections for powershell

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Mimikatz1 detections

Auto-extracted: 1 detections for mimikatz

Mimikatz1 detections

Auto-extracted: 1 detections for mimikatz

THREAT ACTORS (4)

Earth Lusca LAPSUS$Mustang Panda Storm-0501

DETECTIONS (14)

Active Directory Replication from Non Machine Account

Credential Dumping Tools Service Execution - Security

Credential Dumping Tools Service Execution - System

FirstTime Seen Account Performing DCSync

HackTool - Mimikatz Execution

Mimikatz DC Sync

Potential Active Directory Replication Account Backdoor

Potential Credential Access via DCSync

Potential PowerShell HackTool Script by Function Names

Suspicious Get-ADReplAccount

Windows AD Replication Request Initiated by User Account

Windows AD Replication Request Initiated from Unsanctioned Location

Windows AD Replication Service Traffic