back

Find sigma rule :heavy_check_mark:

Attack: OS Credential Dumping: DCSync

Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller’s application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.

Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticket(Citation: Harmj0y Mimikatz and DCSync) or change an account’s password as noted in Account Manipulation.(Citation: InsiderThreat ChangeNTLM July 2017)

DCSync functionality has been included in the “lsadump” module in Mimikatz.(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)

MITRE

Tactic

technique

Test : Run DSInternals Get-ADReplAccount

OS

Description:

The following Atomic will run Get-ADReplAccount from DSInternals. Upon successful execution, domain and credentials will appear in stdout. Reference CrowdStrike StellarParticle. https://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/

Executor

powershell

Sigma Rule

back