ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > List all tools > List all groups using tool DCSync

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: DCSync

NamesDCSync
CategoryMalware
TypeCredential stealer
Description(Stealthbits) DCSync is a late-stage kill chain attack that allows an attacker to simulate the behavior of Domain Controller (DC) in order to retrieve password data via domain replication. Once an attacker has access to a privileged account with domain replication rights, the attacker can utilize replication protocols to mimic a domain controller.

DCSync itself is a command within Mimikatz and relies on utilizing specific commands within the Microsoft Directory Replication Service Remote Protocol (MS-DRSR) to simulates the behavior of a domain controller and asks other domain controllers to replicate information by using the Directory Replication Service Remote Protocol (MS-DRSR). Utilizing these protocols, this attack takes advantage of valid and necessary functions of Active Directory, which cannot be turned off or disabled.
Information<https://blog.stealthbits.com/what-is-dcsync-an-introduction/>

Last change to this tool card: 20 April 2020

Download this tool card in JSON format

Previous: DCSrv
Next: DDG

All groups using tool DCSync

ChangedNameCountryObserved

APT groups

     ↳ Subgroup: Scattered Spider[Unknown]2022-Jul 2024X
 CalypsoChina2016-Aug 2021 
XMustang Panda, Bronze PresidentChina2012-Mar 2024 

3 groups listed (3 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]