title: DCSync (T1003.006)
id: df00tech-t1003-006
status: experimental
description: "Adversaries abuse the Windows Directory Replication Service (DRSUAPI) API to simulate replication from a domain controller and extract password data without direct access to the NTDS.dit file. Members of Administrators, Domain Admins, or Enterprise Admins groups can call IDL_DRSGetNCChanges to pull NTLM hashes and historical hashes for accounts including krbtgt. Mimikatz implements this as 'lsadump::dcsync'. Used by Mimikatz, Cobalt Strike, Earth Lusca, Mustang Panda, Storm-0501, and LAPSUS$. Enables Golden Ticket creation via krbtgt hash extraction."
references:
  - https://attack.mitre.org/techniques/T1003/006/
  - https://df00tech.com/detections/T1003.006
author: df00tech
date: 2026/04/13
tags:
  - attack.t1003.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Azure AD Connect and other legitimate directory synchronization services that use DRSUAPI (configure an explicit exclusion for the sync account)
  - Active Directory replication between domain controllers — machine accounts (ending in $) are excluded but verify the exclusion is complete
  - Privileged Identity Management (PIM) tooling that reads directory data via replication APIs
  - Directory Services administrative tools run by authorized AD administrators during maintenance
level: critical