Esc
DCSync - T1003.006

(ATT&CK® Technique)
Definition

Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API) to simulate the replication process from a remote domain controller using a technique called DCSync.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1003006["DCSync"] --> |may-modify| EventLog["Event Log"]; class T1003006 OffensiveTechniqueNode;
        class EventLog ArtifactNode; click EventLog href "../../../dao/artifact/d3f:EventLog";
        click T1003006 href "../../../offensive-technique/attack/T1003.006/"; click EventLog href "../../../dao/artifact/d3f:EventLog"; T1003006["DCSync"] --> |produces| IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; class T1003006 OffensiveTechniqueNode;
        class IntranetAdministrativeNetworkTraffic ArtifactNode; click IntranetAdministrativeNetworkTraffic href "../../../dao/artifact/d3f:IntranetAdministrativeNetworkTraffic";
        click T1003006 href "../../../offensive-technique/attack/T1003.006/"; click IntranetAdministrativeNetworkTraffic href "../../../dao/artifact/d3f:IntranetAdministrativeNetworkTraffic";                          Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];

          Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
            | may-detect | T1003006["DCSync"] ;
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class IntranetAdministrativeNetworkTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "../../../technique/d3f:Client-serverPayloadProfiling"; ConnectionAttemptAnalysis["Connection Attempt Analysis"] -->
          | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];

          ConnectionAttemptAnalysis["Connection Attempt Analysis"] -.->
            | may-detect | T1003006["DCSync"] ;
          class ConnectionAttemptAnalysis DefensiveTechniqueNode;
          class IntranetAdministrativeNetworkTraffic ArtifactNode;
          click ConnectionAttemptAnalysis href "../../../technique/d3f:ConnectionAttemptAnalysis"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];

          NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
            | may-detect | T1003006["DCSync"] ;
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class IntranetAdministrativeNetworkTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "../../../technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];

          PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
            | may-detect | T1003006["DCSync"] ;
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class IntranetAdministrativeNetworkTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "../../../technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];

          ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
            | may-detect | T1003006["DCSync"] ;
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class IntranetAdministrativeNetworkTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "../../../technique/d3f:ProtocolMetadataAnomalyDetection";                                                          NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];

          NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
            | may-detect | T1003006["DCSync"] ;
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class IntranetAdministrativeNetworkTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "../../../technique/d3f:NetworkTrafficSignatureAnalysis";   RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];

          RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
            | may-detect | T1003006["DCSync"] ;
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class IntranetAdministrativeNetworkTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "../../../technique/d3f:RemoteTerminalSessionDetection";                      AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] -->
          | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];

          AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] -.->
            | may-detect | T1003006["DCSync"] ;
          class AdministrativeNetworkActivityAnalysis DefensiveTechniqueNode;
          class IntranetAdministrativeNetworkTraffic ArtifactNode;
          click AdministrativeNetworkActivityAnalysis href "../../../technique/d3f:AdministrativeNetworkActivityAnalysis";                         UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];

          UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
            | may-detect | T1003006["DCSync"] ;
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class IntranetAdministrativeNetworkTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "../../../technique/d3f:UserGeolocationLogonPatternAnalysis";              NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];

          NetworkTrafficFiltering["Network Traffic Filtering"] -.->
            | may-isolate | T1003006["DCSync"] ;
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class IntranetAdministrativeNetworkTraffic ArtifactNode;
          click NetworkTrafficFiltering href "../../../technique/d3f:NetworkTrafficFiltering";
json