Skip to content

Hide Navigation Hide TOC

Suspicious Get-ADReplAccount (060c3ef1-fd0a-4091-bf46-e7d625f60b73)

The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.

Cluster A Galaxy A Cluster B Galaxy B Level
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern Suspicious Get-ADReplAccount (060c3ef1-fd0a-4091-bf46-e7d625f60b73) Sigma-Rules 1
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2