OS Credential Dumping: DCSync

Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)[1] [2] [3] [4] to simulate the replication process from a remote domain controller using a technique called DCSync.

Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data[5] from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticket[6] or change an account's password as noted in Account Manipulation.[7]

DCSync functionality has been included in the "lsadump" module in Mimikatz.[8] Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.[9]

ID: T1003.006
Sub-technique of:  T1003
Tactic: Credential Access
Platforms: Windows
Permissions Required: Administrator
Data Sources: Active Directory: Active Directory Object Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Contributors: ExtraHop; Vincent Le Toux
Version: 1.0
Created: 11 February 2020
Last Modified: 22 April 2021

Procedure Examples

ID Name Description
G0016 APT29

APT29 leveraged privileged accounts to replicate directory service data with domain controllers.[10][11]

S0002 Mimikatz

Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from DCSync/NetSync.[12][8][13][14]

G0116 Operation Wocao

Operation Wocao has used Mimikatz's DCSync to dump credentials from the memory of the targeted system.[15]

Mitigations

ID Mitigation Description
M1015 Active Directory Configuration

Manage the access control list for "Replicating Directory Changes" and other permissions associated with domain controller replication.[5][16]

M1027 Password Policies

Ensure that local administrator accounts have complex, unique passwords across all systems on the network.

M1026 Privileged Account Management

Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.

Detection

Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync.[1] [2] [3] Also monitor for network protocols[1] [9] and other replication requests[17] from IPs not associated with known domain controllers.[18]

Note: Domain controllers may not log replication requests originating from the default domain controller account.[19]

References