Detections
Analytics

DCSync

critical

Language:

Description

The DCSync command in Mimikatz allows an attacker to simulate a domain controller and retrieve password hashes and encryption keys from other domain controllers, without executing any code on the target.

See Also

MITRE ATT&CK description

harmj0y.net - Mimikatz and DCSync and ExtraSids

Microsoft - MS-DRSR explained

ADsecurity.org - Mimikatz DCSync Usage, Exploitation and Detection

Indicator Details

Name: DCSync

Codename: I-DCSync

Severity: Critical

MITRE ATT&CK Information:
ID: T1003.006
Sub-technique of: T1003
Tactic: TA0006