OS Credential Dumping: DCSync


Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)[1] [2] [3]  to simulate the replication process from a remote domain controller using a technique called DCSync.Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data[5] from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable Identity ExposureActive DirectoryStandard AD userLDAPUser and Group membership and ACLPlugin ID: C-ROOTOBJECTS-SD-CONSISTENCY

Attack Path Technique Details

Framework: MITRE ATT&CK

Family: Credential Access

Sub-Technique: DCSync

Platform: Windows

Products Required: Tenable Identity Exposure

Tenable Release Date: 2022 Q3