detecting-dcsync-attack-in-active-directory

Original：🇺🇸 English

Translated

2 scripts

Detect DCSync attacks where adversaries abuse Active Directory replication privileges to extract password hashes by monitoring for non-domain-controller accounts requesting directory replication via DsGetNCChanges.

3installs

Sourcemukul975/anthropic-cybersecurity-skills

Added on2026-05-30

NPX Install

npx skill4agent add mukul975/anthropic-cybersecurity-skills detecting-dcsync-attack-in-active-directory

SKILL.md Content

View Translation Comparison →

Detecting DCSync Attack in Active Directory

When to Use

When hunting for credential theft in Active Directory environments
After compromise of accounts with Replicating Directory Changes permissions
When investigating suspected use of Mimikatz or Impacket secretsdump
During incident response involving lateral movement with domain admin credentials
When auditing AD replication permissions as part of security hardening

Prerequisites

Windows Security Event Logs with Event ID 4662 (Object Access) enabled
Advanced Audit Policy: Audit Directory Service Access enabled
Domain Controller event forwarding to SIEM
Knowledge of legitimate domain controller hostnames and IPs
Directory Service Access auditing with SACL on domain object

Workflow

Identify Legitimate Replication Sources: Document all domain controllers in the environment by hostname, IP, and computer account. Only these should perform directory replication.
Enable Required Auditing: Configure Advanced Audit Policy to capture Event ID 4662 on domain controllers with specific GUID monitoring for replication rights.
Monitor Replication Rights Access: Track access to three critical GUIDs -- DS-Replication-Get-Changes (1131f6aa-9c07-11d1-f79f-00c04fc2dcd2), DS-Replication-Get-Changes-All (1131f6ad-9c07-11d1-f79f-00c04fc2dcd2), and DS-Replication-Get-Changes-In-Filtered-Set (89e95b76-444d-4c62-991a-0facbeda640c).
Detect Non-DC Replication Requests: Alert when any account NOT associated with a domain controller requests replication rights.
Correlate with Network Traffic: DCSync generates replication traffic (MS-DRSR/RPC) from the attacker's machine to the DC. Monitor for DrsGetNCChanges RPC calls from non-DC IP addresses.
Investigate Source Context: Examine the process, user account, and machine originating the replication request.
Check for Credential Abuse: After DCSync detection, audit for subsequent use of extracted hashes (pass-the-hash, golden ticket creation).

Key Concepts

Concept	Description
T1003.006	OS Credential Dumping: DCSync
DCSync	Mimicking domain controller replication to extract credentials
DsGetNCChanges	RPC function used to request AD replication data
DS-Replication-Get-Changes	AD permission required (GUID: 1131f6aa-...)
DS-Replication-Get-Changes-All	Permission including confidential attributes (GUID: 1131f6ad-...)
MS-DRSR	Microsoft Directory Replication Service Remote Protocol
KRBTGT Hash	Key target of DCSync enabling Golden Ticket attacks
Event ID 4662	Directory service object access audit event

Tools & Systems

Tool	Purpose
Mimikatz (lsadump::dcsync)	Primary DCSync attack tool
Impacket secretsdump.py	Python-based DCSync implementation
DSInternals	PowerShell module for AD replication
BloodHound	Map accounts with replication rights
Splunk / Elastic	SIEM correlation of 4662 events
Microsoft Defender for Identity	Native DCSync detection
CrowdStrike Falcon	EDR-based DCSync detection

Detection Queries

Splunk -- DCSync Detection via Event 4662

spl

index=wineventlog EventCode=4662
| where Properties IN ("*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*",
    "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*",
    "*89e95b76-444d-4c62-991a-0facbeda640c*")
| where NOT match(SubjectUserName, ".*\\$$")
| where NOT SubjectUserName IN ("known_svc_account1", "known_svc_account2")
| stats count values(Properties) as ReplicationRights by SubjectUserName SubjectDomainName Computer
| where count > 0
| table SubjectUserName SubjectDomainName Computer count ReplicationRights

KQL -- Microsoft Sentinel DCSync Detection

kql

SecurityEvent
| where EventID == 4662
| where Properties has "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"
    or Properties has "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"
| where SubjectUserName !endswith "$"
| where SubjectUserName !in ("AzureADConnect", "MSOL_*")
| project TimeGenerated, SubjectUserName, SubjectDomainName, Computer, Properties
| sort by TimeGenerated desc

Sigma Rule -- DCSync Activity

yaml

title: DCSync Activity Detected - Non-DC Replication Request
status: stable
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4662
        Properties|contains:
            - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
            - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
    filter_dc:
        SubjectUserName|endswith: '$'
    condition: selection and not filter_dc
level: critical
tags:
    - attack.credential_access
    - attack.t1003.006

Common Scenarios

Mimikatz DCSync: Attacker with Domain Admin privileges runs
```
lsadump::dcsync /user:krbtgt
```
to extract KRBTGT hash for Golden Ticket creation.
Impacket secretsdump: Remote DCSync via
```
secretsdump.py domain/user:password@dc-ip
```
extracting all domain hashes.
Delegated Replication Rights: Attacker grants themselves Replicating Directory Changes rights via ACL modification before performing DCSync.
Azure AD Connect Abuse: Compromising the Azure AD Connect service account which has legitimate replication rights.
DSInternals PowerShell: Using
```
Get-ADReplAccount
```
cmdlet to replicate specific account credentials.

Output Format

Hunt ID: TH-DCSYNC-[DATE]-[SEQ]
Alert Severity: Critical
Source Account: [Account requesting replication]
Source Machine: [Hostname/IP of requestor]
Target DC: [Domain controller receiving request]
Replication Rights: [GUIDs accessed]
Timestamp: [Event time]
Legitimate DC: [Yes/No]
Known Service Account: [Yes/No]
Risk Assessment: [Critical - non-DC replication detected]