• Tenable
  • Indicators
  • Settings
    Links
    Tenable Cloud Tenable Community & Support Tenable University
    Theme
  • Tenable
  • Plugins
  • Overview
  • Plugins Pipeline
  • Newest
  • Updated
  • Search
  • Nessus Families
  • WAS Families
  • NNM Families
  • LCE Families
  • Tenable OT Security Families
  • About Plugin Families
  • Release Notes
  • Audits
  • Overview
  • Newest
  • Updated
  • Search Audit Files
  • Search Items
  • References
  • Authorities
  • Documentation
  • Download All Audit Files
  • Indicators
  • Overview
  • Search
  • Indicators of Attack
  • Indicators of Exposure
  • CVEs
  • Overview
  • Newest
  • Updated
  • Search
  • Attack Path Techniques
  • Overview
  • Search
    • Links
    • Tenable Cloud
    • Tenable Community & Support
    • Tenable University
    • Settings
    • Theme
Detections
  • Plugins
  • Overview
  • Plugins Pipeline
  • Release Notes
  • Newest
  • Updated
  • Search
  • Nessus Families
  • WAS Families
  • NNM Families
  • LCE Families
  • Tenable OT Security Families
  • About Plugin Families
  • Audits
  • Overview
  • Newest
  • Updated
  • Search Audit Files
  • Search Items
  • References
  • Authorities
  • Documentation
  • Download All Audit Files
  • Indicators
  • Overview
  • Search
  • Indicators of Attack
  • Indicators of Exposure
Analytics
  • CVEs
  • Overview
  • Newest
  • Updated
  • Search
  • Attack Path Techniques
  • Overview
  • Search
  1. Indicators
  2. Indicators of Attack
  3. I-DCSync
  1. Indicators of Attack

DCSync

critical

Language:

Description

The DCSync command in Mimikatz allows an attacker to simulate a domain controller and retrieve password hashes and encryption keys from other domain controllers, without executing any code on the target.

See Also

MITRE ATT&CK description

Microsoft - MS-DRSR explained

ADsecurity.org - Mimikatz DCSync Usage, Exploitation and Detection

harmj0y.net - Mimikatz and DCSync and ExtraSids

Indicator Details

Name: DCSync

Codename: I-DCSync

Severity: Critical

Type: Indicator of Attack

MITRE ATT&CK Information:
ID: T1003.006
Sub-technique of: T1003
Tactic: TA0006

  • Tenable.com
  • Community & Support
  • Documentation
  • Education
  • © 2025 Tenable®, Inc. All Rights Reserved
  • Privacy Policy
  • Legal
  • 508 Compliance