ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool DCSync

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: DCSync

NamesDCSync
CategoryMalware
TypeCredential stealer
Description(Stealthbits) DCSync is a late-stage kill chain attack that allows an attacker to simulate the behavior of Domain Controller (DC) in order to retrieve password data via domain replication. Once an attacker has access to a privileged account with domain replication rights, the attacker can utilize replication protocols to mimic a domain controller.

DCSync itself is a command within Mimikatz and relies on utilizing specific commands within the Microsoft Directory Replication Service Remote Protocol (MS-DRSR) to simulates the behavior of a domain controller and asks other domain controllers to replicate information by using the Directory Replication Service Remote Protocol (MS-DRSR). Utilizing these protocols, this attack takes advantage of valid and necessary functions of Active Directory, which cannot be turned off or disabled.
Information<https://blog.stealthbits.com/what-is-dcsync-an-introduction/>

Last change to this tool card: 20 April 2020

Download this tool card in JSON format

Previous: DbxDump Utility
Next: DDG

All groups using tool DCSync

ChangedNameCountryObserved

APT groups

 CalypsoChina2016 

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key