detecting-dcsync-attack-in-active-directory
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseDetecting DCSync Attack in Active Directory
检测Active Directory中的DCSync攻击
When to Use
使用场景
- When hunting for credential theft in Active Directory environments
- After compromise of accounts with Replicating Directory Changes permissions
- When investigating suspected use of Mimikatz or Impacket secretsdump
- During incident response involving lateral movement with domain admin credentials
- When auditing AD replication permissions as part of security hardening
- 在Active Directory环境中排查凭证窃取行为时
- 在拥有“复制目录更改”权限的账户被攻陷后
- 在调查疑似使用Mimikatz或Impacket secretsdump的情况时
- 在涉及使用域管理员凭证横向移动的事件响应过程中
- 在作为安全加固一部分审核AD复制权限时
Prerequisites
前提条件
- Windows Security Event Logs with Event ID 4662 (Object Access) enabled
- Advanced Audit Policy: Audit Directory Service Access enabled
- Domain Controller event forwarding to SIEM
- Knowledge of legitimate domain controller hostnames and IPs
- Directory Service Access auditing with SACL on domain object
- 已启用Event ID 4662(对象访问)的Windows安全事件日志
- 已启用高级审核策略:审核目录服务访问
- 域控制器事件已转发至SIEM
- 了解合法域控制器的主机名和IP地址
- 对域对象配置了SACL的目录服务访问审核
Workflow
工作流程
- Identify Legitimate Replication Sources: Document all domain controllers in the environment by hostname, IP, and computer account. Only these should perform directory replication.
- Enable Required Auditing: Configure Advanced Audit Policy to capture Event ID 4662 on domain controllers with specific GUID monitoring for replication rights.
- Monitor Replication Rights Access: Track access to three critical GUIDs -- DS-Replication-Get-Changes (1131f6aa-9c07-11d1-f79f-00c04fc2dcd2), DS-Replication-Get-Changes-All (1131f6ad-9c07-11d1-f79f-00c04fc2dcd2), and DS-Replication-Get-Changes-In-Filtered-Set (89e95b76-444d-4c62-991a-0facbeda640c).
- Detect Non-DC Replication Requests: Alert when any account NOT associated with a domain controller requests replication rights.
- Correlate with Network Traffic: DCSync generates replication traffic (MS-DRSR/RPC) from the attacker's machine to the DC. Monitor for DrsGetNCChanges RPC calls from non-DC IP addresses.
- Investigate Source Context: Examine the process, user account, and machine originating the replication request.
- Check for Credential Abuse: After DCSync detection, audit for subsequent use of extracted hashes (pass-the-hash, golden ticket creation).
- 识别合法复制源:记录环境中所有域控制器的主机名、IP和计算机账户。只有这些账户应执行目录复制操作。
- 启用所需审核:配置高级审核策略,在域控制器上捕获Event ID 4662,并监控与复制权限相关的特定GUID。
- 监控复制权限访问:跟踪三个关键GUID的访问情况——DS-Replication-Get-Changes(1131f6aa-9c07-11d1-f79f-00c04fc2dcd2)、DS-Replication-Get-Changes-All(1131f6ad-9c07-11d1-f79f-00c04fc2dcd2)和DS-Replication-Get-Changes-In-Filtered-Set(89e95b76-444d-4c62-991a-0facbeda640c)。
- 检测非域控制器复制请求:当任何与域控制器无关的账户请求复制权限时触发告警。
- 关联网络流量:DCSync会生成从攻击者机器到域控制器的复制流量(MS-DRSR/RPC)。监控来自非域控制器IP地址的DrsGetNCChanges RPC调用。
- 调查源上下文:检查发起复制请求的进程、用户账户和机器。
- 检查凭证滥用情况:检测到DCSync后,审核提取的哈希值后续是否被滥用(如哈希传递、黄金票据创建)。
Key Concepts
核心概念
| Concept | Description |
|---|---|
| T1003.006 | OS Credential Dumping: DCSync |
| DCSync | Mimicking domain controller replication to extract credentials |
| DsGetNCChanges | RPC function used to request AD replication data |
| DS-Replication-Get-Changes | AD permission required (GUID: 1131f6aa-...) |
| DS-Replication-Get-Changes-All | Permission including confidential attributes (GUID: 1131f6ad-...) |
| MS-DRSR | Microsoft Directory Replication Service Remote Protocol |
| KRBTGT Hash | Key target of DCSync enabling Golden Ticket attacks |
| Event ID 4662 | Directory service object access audit event |
| 概念 | 描述 |
|---|---|
| T1003.006 | 操作系统凭证转储:DCSync |
| DCSync | 模拟域控制器复制以提取凭证 |
| DsGetNCChanges | 用于请求AD复制数据的RPC函数 |
| DS-Replication-Get-Changes | 所需的AD权限(GUID:1131f6aa-...) |
| DS-Replication-Get-Changes-All | 包含机密属性的权限(GUID:1131f6ad-...) |
| MS-DRSR | Microsoft目录复制服务远程协议 |
| KRBTGT Hash | DCSync的关键目标,可用于黄金票据攻击 |
| Event ID 4662 | 目录服务对象访问审核事件 |
Tools & Systems
工具与系统
| Tool | Purpose |
|---|---|
| Mimikatz (lsadump::dcsync) | Primary DCSync attack tool |
| Impacket secretsdump.py | Python-based DCSync implementation |
| DSInternals | PowerShell module for AD replication |
| BloodHound | Map accounts with replication rights |
| Splunk / Elastic | SIEM correlation of 4662 events |
| Microsoft Defender for Identity | Native DCSync detection |
| CrowdStrike Falcon | EDR-based DCSync detection |
| 工具 | 用途 |
|---|---|
| Mimikatz (lsadump::dcsync) | 主要的DCSync攻击工具 |
| Impacket secretsdump.py | 基于Python的DCSync实现 |
| DSInternals | 用于AD复制的PowerShell模块 |
| BloodHound | 映射拥有复制权限的账户 |
| Splunk / Elastic | 对4662事件进行SIEM关联分析 |
| Microsoft Defender for Identity | 原生DCSync检测功能 |
| CrowdStrike Falcon | 基于EDR的DCSync检测 |
Detection Queries
检测查询
Splunk -- DCSync Detection via Event 4662
Splunk -- 通过Event 4662检测DCSync
spl
index=wineventlog EventCode=4662
| where Properties IN ("*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*",
"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*",
"*89e95b76-444d-4c62-991a-0facbeda640c*")
| where NOT match(SubjectUserName, ".*\\$$")
| where NOT SubjectUserName IN ("known_svc_account1", "known_svc_account2")
| stats count values(Properties) as ReplicationRights by SubjectUserName SubjectDomainName Computer
| where count > 0
| table SubjectUserName SubjectDomainName Computer count ReplicationRightsspl
index=wineventlog EventCode=4662
| where Properties IN ("*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*",
"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*",
"*89e95b76-444d-4c62-991a-0facbeda640c*")
| where NOT match(SubjectUserName, ".*\\$$")
| where NOT SubjectUserName IN ("known_svc_account1", "known_svc_account2")
| stats count values(Properties) as ReplicationRights by SubjectUserName SubjectDomainName Computer
| where count > 0
| table SubjectUserName SubjectDomainName Computer count ReplicationRightsKQL -- Microsoft Sentinel DCSync Detection
KQL -- Microsoft Sentinel DCSync检测
kql
SecurityEvent
| where EventID == 4662
| where Properties has "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"
or Properties has "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"
| where SubjectUserName !endswith "$"
| where SubjectUserName !in ("AzureADConnect", "MSOL_*")
| project TimeGenerated, SubjectUserName, SubjectDomainName, Computer, Properties
| sort by TimeGenerated desckql
SecurityEvent
| where EventID == 4662
| where Properties has "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"
or Properties has "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"
| where SubjectUserName !endswith "$"
| where SubjectUserName !in ("AzureADConnect", "MSOL_*")
| project TimeGenerated, SubjectUserName, SubjectDomainName, Computer, Properties
| sort by TimeGenerated descSigma Rule -- DCSync Activity
Sigma规则 -- DCSync活动
yaml
title: DCSync Activity Detected - Non-DC Replication Request
status: stable
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
Properties|contains:
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
filter_dc:
SubjectUserName|endswith: '$'
condition: selection and not filter_dc
level: critical
tags:
- attack.credential_access
- attack.t1003.006yaml
title: DCSync Activity Detected - Non-DC Replication Request
status: stable
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
Properties|contains:
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
filter_dc:
SubjectUserName|endswith: '$'
condition: selection and not filter_dc
level: critical
tags:
- attack.credential_access
- attack.t1003.006Common Scenarios
常见场景
- Mimikatz DCSync: Attacker with Domain Admin privileges runs to extract KRBTGT hash for Golden Ticket creation.
lsadump::dcsync /user:krbtgt - Impacket secretsdump: Remote DCSync via extracting all domain hashes.
secretsdump.py domain/user:password@dc-ip - Delegated Replication Rights: Attacker grants themselves Replicating Directory Changes rights via ACL modification before performing DCSync.
- Azure AD Connect Abuse: Compromising the Azure AD Connect service account which has legitimate replication rights.
- DSInternals PowerShell: Using cmdlet to replicate specific account credentials.
Get-ADReplAccount
- Mimikatz DCSync:拥有域管理员权限的攻击者运行提取KRBTGT哈希以创建黄金票据。
lsadump::dcsync /user:krbtgt - Impacket secretsdump:通过远程执行DCSync,提取所有域哈希值。
secretsdump.py domain/user:password@dc-ip - 委派复制权限:攻击者通过修改ACL为自己授予“复制目录更改”权限,然后执行DCSync。
- Azure AD Connect滥用:攻陷拥有合法复制权限的Azure AD Connect服务账户。
- DSInternals PowerShell:使用cmdlet复制特定账户的凭证。
Get-ADReplAccount
Output Format
输出格式
Hunt ID: TH-DCSYNC-[DATE]-[SEQ]
Alert Severity: Critical
Source Account: [Account requesting replication]
Source Machine: [Hostname/IP of requestor]
Target DC: [Domain controller receiving request]
Replication Rights: [GUIDs accessed]
Timestamp: [Event time]
Legitimate DC: [Yes/No]
Known Service Account: [Yes/No]
Risk Assessment: [Critical - non-DC replication detected]Hunt ID: TH-DCSYNC-[DATE]-[SEQ]
Alert Severity: Critical
Source Account: [Account requesting replication]
Source Machine: [Hostname/IP of requestor]
Target DC: [Domain controller receiving request]
Replication Rights: [GUIDs accessed]
Timestamp: [Event time]
Legitimate DC: [Yes/No]
Known Service Account: [Yes/No]
Risk Assessment: [Critical - non-DC replication detected]