Skip to content

Hide Navigation Hide TOC

Suspicious Get-ADReplAccount (060c3ef1-fd0a-4091-bf46-e7d625f60b73)

The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.

Cluster A Galaxy A Cluster B Galaxy B Level
Suspicious Get-ADReplAccount (060c3ef1-fd0a-4091-bf46-e7d625f60b73) Sigma-Rules DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern 1
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern 2