1. Home
  2. Techniques
  3. Enterprise
  4. OS Credential Dumping
  5. DCSync

OS Credential Dumping: DCSync

ID Name
T1003.001 LSASS Memory
T1003.002 Security Account Manager
T1003.003 NTDS
T1003.004 LSA Secrets
T1003.005 Cached Domain Credentials
T1003.006 DCSync
T1003.007 Proc Filesystem
T1003.008 /etc/passwd and /etc/shadow

Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)[1] [2] [3] [4] to simulate the replication process from a remote domain controller using a technique called DCSync.

Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data[5] from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticket[6] or change an account's password as noted in Account Manipulation.[7]

DCSync functionality has been included in the "lsadump" module in Mimikatz.[8] Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.[9]

ID: T1003.006
Sub-technique of:  T1003
Tactic: Credential Access
Platforms: Windows
Contributors: ExtraHop; Vincent Le Toux
Version: 1.1
Created: 11 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
C0027 C0027

During C0027, Scattered Spider performed domain replication.[10]
G1006 Earth Lusca

Earth Lusca has used a DCSync command with Mimikatz to retrieve credentials from an exploited controller.[11]
G1004 LAPSUS$

LAPSUS$ has used DCSync attacks to gather credentials for privilege escalation routines.[12]
S0002 Mimikatz

Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from DCSync/NetSync.[13][8][14][15][16]
G0129 Mustang Panda

Mustang Panda has leveraged Mimikatz DCSync feature to obtain user credentials.[17]
C0014 Operation Wocao

During Operation Wocao, threat actors used Mimikatz's DCSync to dump credentials from the memory of the targeted system.[18]

C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 used privileged accounts to replicate directory service data with domain controllers.[19][20][21]
G1053 Storm-0501

Storm-0501 has utilized DCSync to extract credentials from victims.[22]

Mitigations

ID Mitigation Description
M1015 Active Directory Configuration

Manage the access control list for "Replicating Directory Changes" and other permissions associated with domain controller replication.[5][23]
M1027 Password Policies

Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
M1026 Privileged Account Management

Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0594 Detection of Unauthorized DCSync Operations via Replication API Abuse AN1632

Detects unauthorized invocation of replication operations (DCSync) via Directory Replication Service (DRS), often executed by threat actors using Mimikatz or similar tools from non-DC endpoints.

References

  1. Microsoft. (2017, December 1). MS-DRSR Directory Replication Service (DRS) Remote Protocol. Retrieved December 4, 2017.
  2. Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December 4, 2017.
  3. SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.
  4. Wine API. (n.d.). samlib.dll. Retrieved November 17, 2024.
  5. Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved August 7, 2017.
  6. Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved September 23, 2024.
  7. Warren, J. (2017, July 11). Manipulating User Passwords with Mimikatz. Retrieved December 4, 2017.
  8. Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved August 7, 2017.
  9. Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol. Retrieved December 6, 2017.
  10. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
  11. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  12. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
  1. Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015.
  2. Grafnetter, M. (2015, October 26). Retrieving DPAPI Backup Keys from Active Directory. Retrieved December 19, 2017.
  3. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  4. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  5. Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025.
  6. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  7. Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021.
  8. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  9. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  10. Microsoft Threat Intelligence. (2025, August 27). Storm-0501’s evolving techniques lead to cloud-based ransomware. Retrieved October 19, 2025.
  11. Microsoft. (n.d.). How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account. Retrieved December 4, 2017.