CG
SkillsDetecting Dcsync Attack in Active Directory
Start Free
Back to Skills Library
Threat Hunting🟡 Intermediate

Detecting Dcsync Attack in Active Directory

Detect DCSync attacks where adversaries abuse Active Directory replication privileges to extract password hashes by monitoring for non-domain-controller accounts requesting directory replication via DsGetNCChanges.

3 min read4 code examples

Prerequisites

  • Windows Security Event Logs with Event ID 4662 (Object Access) enabled
  • Advanced Audit Policy: Audit Directory Service Access enabled
  • Domain Controller event forwarding to SIEM
  • Knowledge of legitimate domain controller hostnames and IPs
  • Directory Service Access auditing with SACL on domain object

Detecting DCSync Attack in Active Directory

When to Use

  • When hunting for credential theft in Active Directory environments
  • After compromise of accounts with Replicating Directory Changes permissions
  • When investigating suspected use of Mimikatz or Impacket secretsdump
  • During incident response involving lateral movement with domain admin credentials
  • When auditing AD replication permissions as part of security hardening

Prerequisites

  • Windows Security Event Logs with Event ID 4662 (Object Access) enabled
  • Advanced Audit Policy: Audit Directory Service Access enabled
  • Domain Controller event forwarding to SIEM
  • Knowledge of legitimate domain controller hostnames and IPs
  • Directory Service Access auditing with SACL on domain object

Workflow

  1. Identify Legitimate Replication Sources: Document all domain controllers in the environment by hostname, IP, and computer account. Only these should perform directory replication.
  2. Enable Required Auditing: Configure Advanced Audit Policy to capture Event ID 4662 on domain controllers with specific GUID monitoring for replication rights.
  3. Monitor Replication Rights Access: Track access to three critical GUIDs -- DS-Replication-Get-Changes (1131f6aa-9c07-11d1-f79f-00c04fc2dcd2), DS-Replication-Get-Changes-All (1131f6ad-9c07-11d1-f79f-00c04fc2dcd2), and DS-Replication-Get-Changes-In-Filtered-Set (89e95b76-444d-4c62-991a-0facbeda640c).
  4. Detect Non-DC Replication Requests: Alert when any account NOT associated with a domain controller requests replication rights.
  5. Correlate with Network Traffic: DCSync generates replication traffic (MS-DRSR/RPC) from the attacker's machine to the DC. Monitor for DrsGetNCChanges RPC calls from non-DC IP addresses.
  6. Investigate Source Context: Examine the process, user account, and machine originating the replication request.
  7. Check for Credential Abuse: After DCSync detection, audit for subsequent use of extracted hashes (pass-the-hash, golden ticket creation).

Key Concepts

ConceptDescription
T1003.006OS Credential Dumping: DCSync
DCSyncMimicking domain controller replication to extract credentials
DsGetNCChangesRPC function used to request AD replication data
DS-Replication-Get-ChangesAD permission required (GUID: 1131f6aa-...)
DS-Replication-Get-Changes-AllPermission including confidential attributes (GUID: 1131f6ad-...)
MS-DRSRMicrosoft Directory Replication Service Remote Protocol
KRBTGT HashKey target of DCSync enabling Golden Ticket attacks
Event ID 4662Directory service object access audit event

Tools & Systems

ToolPurpose
Mimikatz (lsadump::dcsync)Primary DCSync attack tool
Impacket secretsdump.pyPython-based DCSync implementation
DSInternalsPowerShell module for AD replication
BloodHoundMap accounts with replication rights
Splunk / ElasticSIEM correlation of 4662 events
Microsoft Defender for IdentityNative DCSync detection
CrowdStrike FalconEDR-based DCSync detection

Detection Queries

Splunk -- DCSync Detection via Event 4662

index=wineventlog EventCode=4662
| where Properties IN ("*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*",
    "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*",
    "*89e95b76-444d-4c62-991a-0facbeda640c*")
| where NOT match(SubjectUserName, ".*\\$$")
| where NOT SubjectUserName IN ("known_svc_account1", "known_svc_account2")
| stats count values(Properties) as ReplicationRights by SubjectUserName SubjectDomainName Computer
| where count > 0
| table SubjectUserName SubjectDomainName Computer count ReplicationRights

KQL -- Microsoft Sentinel DCSync Detection

SecurityEvent
| where EventID == 4662
| where Properties has "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"
    or Properties has "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"
| where SubjectUserName !endswith "$"
| where SubjectUserName !in ("AzureADConnect", "MSOL_*")
| project TimeGenerated, SubjectUserName, SubjectDomainName, Computer, Properties
| sort by TimeGenerated desc

Sigma Rule -- DCSync Activity

title: DCSync Activity Detected - Non-DC Replication Request
status: stable
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4662
        Properties|contains:
            - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
            - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
    filter_dc:
        SubjectUserName|endswith: '$'
    condition: selection and not filter_dc
level: critical
tags:
    - attack.credential_access
    - attack.t1003.006

Common Scenarios

  1. Mimikatz DCSync: Attacker with Domain Admin privileges runs lsadump::dcsync /user:krbtgt to extract KRBTGT hash for Golden Ticket creation.
  2. Impacket secretsdump: Remote DCSync via secretsdump.py domain/user:password@dc-ip extracting all domain hashes.
  3. Delegated Replication Rights: Attacker grants themselves Replicating Directory Changes rights via ACL modification before performing DCSync.
  4. Azure AD Connect Abuse: Compromising the Azure AD Connect service account which has legitimate replication rights.
  5. DSInternals PowerShell: Using Get-ADReplAccount cmdlet to replicate specific account credentials.

Output Format

Hunt ID: TH-DCSYNC-[DATE]-[SEQ]
Alert Severity: Critical
Source Account: [Account requesting replication]
Source Machine: [Hostname/IP of requestor]
Target DC: [Domain controller receiving request]
Replication Rights: [GUIDs accessed]
Timestamp: [Event time]
Legitimate DC: [Yes/No]
Known Service Account: [Yes/No]
Risk Assessment: [Critical - non-DC replication detected]

Verification Criteria

Confirm successful execution by validating:

  • [ ] All prerequisite tools and access requirements are satisfied
  • [ ] Each workflow step completed without errors
  • [ ] Output matches expected format and contains expected data
  • [ ] No security warnings or misconfigurations detected
  • [ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

  • SOC 2: CC7.2 (Anomaly Detection), CC7.3 (Incident Identification)
  • ISO 27001: A.12.4 (Logging & Monitoring), A.16.1 (Security Incident Management)
  • NIST 800-53: SI-4 (System Monitoring), IR-4 (Incident Handling), RA-5 (Vulnerability Scanning)
  • NIST CSF: DE.AE (Anomalies & Events), DE.CM (Continuous Monitoring), DE.DP (Detection Processes)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

Register this skill with your Claw GRC agent for automated execution:

# Install via CLI
npx claw-grc skills add detecting-dcsync-attack-in-active-directory

# Or load dynamically via MCP
grc.load_skill("detecting-dcsync-attack-in-active-directory")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

  • SHA-256 chain hashing ensures no step can be modified after execution
  • Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
  • Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Use with Claw GRC Agents

This skill is fully compatible with Claw GRC's autonomous agent system. Deploy it to any registered agent via MCP, and every execution will be logged in the tamper-evident audit trail.

// Load this skill in your agent
npx claw-grc skills add detecting-dcsync-attack-in-active-directory
// Or via MCP
grc.load_skill("detecting-dcsync-attack-in-active-directory")

Tags

threat-huntingactive-directorydcsynccredential-theftmitre-t1003-006mimikatzkerberos

Related Skills

Threat Hunting

Hunting for Dcsync Attacks

3m·intermediate
Threat Hunting

Detecting Golden Ticket Attacks in Kerberos Logs

3m·intermediate
Threat Detection

Detecting Golden Ticket Forgery

3m·intermediate
Threat Hunting

Detecting Kerberoasting Attacks

3m·intermediate
Threat Hunting

Detecting Mimikatz Execution Patterns

3m·intermediate
Threat Hunting

Detecting T1003 Credential Dumping with EDR

3m·intermediate

Skill Details

Domain
Threat Hunting
Difficulty
intermediate
Read Time
3 min
Code Examples
4

On This Page

When to UsePrerequisitesWorkflowKey ConceptsTools & SystemsDetection QueriesCommon ScenariosOutput FormatVerification CriteriaCompliance Framework MappingDeploying This Skill with Claw GRC

Deploy This Skill

Add this skill to your Claw GRC agent and start automating.

Get Started Free →