Detections
Analytics
OS Credential Dumping: DCSync
Description
Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)[1] [2] [3] to simulate the replication process from a remote domain controller using a technique called DCSync.Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data[5] from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Identity Exposure | Active Directory | Standard AD user | LDAP | User and Group membership and ACL | Plugin ID: C-ROOTOBJECTS-SD-CONSISTENCY |
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Credential Access
Technique: OS Credential Dumping
Sub-Technique: DCSync
Platform: Windows
Products Required: Tenable Identity Exposure
Tenable Release Date: 2022 Q3