Home > List all groups > List all tools > List all groups using tool DCSync

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: DCSync

TypeCredential stealer
Description(Stealthbits) DCSync is a late-stage kill chain attack that allows an attacker to simulate the behavior of Domain Controller (DC) in order to retrieve password data via domain replication. Once an attacker has access to a privileged account with domain replication rights, the attacker can utilize replication protocols to mimic a domain controller.

DCSync itself is a command within Mimikatz and relies on utilizing specific commands within the Microsoft Directory Replication Service Remote Protocol (MS-DRSR) to simulates the behavior of a domain controller and asks other domain controllers to replicate information by using the Directory Replication Service Remote Protocol (MS-DRSR). Utilizing these protocols, this attack takes advantage of valid and necessary functions of Active Directory, which cannot be turned off or disabled.

Last change to this tool card: 19 April 2020

Download this tool card in JSON format

All groups using tool DCSync


APT groups

 CalypsoChina2016-Mar 2021 

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key