dcsync.yaml

---
title: T1003.006 - DCSYNC
tactic:
  - TA0006
technique: T1003.006
techniquename: DCSYNC
description:
header:
  name: T1003.006 - DCSYNC
  colspan: 4
rows:
  - Row1:
    name: Tools
    style:
      - red: 230
      - green: 159
      - blue: 0
    entries:
      - Mimikatz:
        name: Mimikatz lsadump::dcsync
        attributes:
          - colspan: 1
      - Empire:
        name: Empire Invoke-DCSync.ps1
        attributes:
          - colspan: 1
      - Impacket:
        name: Impacket secretdump.py
        attributes:
          - colspan: 1
  - Row2:
    name: Extended Rights
    style:
      - red: 86
      - green: 180
      - blue: 233
    entries:
      - extendedrights:
        # yamllint disable-line rule:line-length
        name: 0x100 - Control Access </br> {19195a5b-6da0–11d0-afd3–00c04fd930c9} — Domain-DNS Class(Object) </br> {1131f6ad-9c07–11d1-f79f-00c04fc2dcd2}- DS-Replication-Get-Changes-All(Extended Right)
        attributes:
          - colspan: 3
  - Row3:
    name: RPC Protocol
    style:
      - red: 0
      - green: 158
      - blue: 115
    entries:
      - rpc:
        name: Directory Replication Service
        attributes:
          - colspan: 3
  - Row4:
    name: RPC Interface
    style:
      - red: 240
      - green: 228
      - blue: 66
    entries:
      - rpcinterface:
        # yamllint disable-line rule:line-length
        name: DRSUAPI (e3514235-4b06-11d1-ab04-00c04fc2dcd2) </br> C:\windows\system32\ntdsai.dll </br> C:\windows\system32\ntdsapi.dll
        attributes:
          - colspan: 3
  - Row5:
    name: RPC Method
    style:
      - red: 213
      - green: 94
      - blue: 0
    entries:
      - rpcmethod:
        name: GetNCChanges REQ/REPLY
        attributes:
          - colspan: 3
  - Row6:
    name: Behavior
    style:
      - red: 204
      - green: 121
      - blue: 167
    entries:
      - behavior:
        name: Replication of a NC Replica
        attributes:
          - colspan: 3