Detecting DCSync Attack in Active Directory When to Use - When hunting for credential theft in Active Directory environments - After compromise of accounts with Replicating Directory Changes permissions - When investigating suspected use of Mimikatz or Impacket secretsdump - During incident response involving lateral movement with domain admin credentials - When auditing AD replication permissions as part of security hardening Prerequisites - Windows Security Event Logs with Event ID 4662 (Object Access) enabled - Advanced Audit Policy: Audit Directory Service Access enabled - Domain Controll…

\n condition: selection and not filter_dc\nlevel: critical\ntags:\n - attack.credential_access\n - attack.t1003.006\n```\n\n## Common Scenarios\n\n1. **Mimikatz DCSync**: Attacker with Domain Admin privileges runs `lsadump::dcsync /user:krbtgt` to extract KRBTGT hash for Golden Ticket creation.\n2. **Impacket secretsdump**: Remote DCSync via `secretsdump.py domain/user:password@dc-ip` extracting all domain hashes.\n3. **Delegated Replication Rights**: Attacker grants themselves Replicating Directory Changes rights via ACL modification before performing DCSync.\n4. **Azure AD Connect Abuse**: Compromising the Azure AD Connect service account which has legitimate replication rights.\n5. **DSInternals PowerShell**: Using `Get-ADReplAccount` cmdlet to replicate specific account credentials.\n\n## Output Format\n\n```\nHunt ID: TH-DCSYNC-[DATE]-[SEQ]\nAlert Severity: Critical\nSource Account: [Account requesting replication]\nSource Machine: [Hostname/IP of requestor]\nTarget DC: [Domain controller receiving request]\nReplication Rights: [GUIDs accessed]\nTimestamp: [Event time]\nLegitimate DC: [Yes/No]\nKnown Service Account: [Yes/No]\nRisk Assessment: [Critical - non-DC replication detected]\n```\n---","attachment_filenames":["assets/template.md","references/api-reference.md","references/standards.md","references/workflows.md","scripts/agent.py","scripts/process.py"],"attachments":[{"filename":"assets/template.md","content":"# DCSync Attack Detection Hunt Template\n\n## Hunt Metadata\n| Field | Value |\n|-------|-------|\n| Hunt ID | TH-DCSYNC-YYYY-MM-DD-NNN |\n| Analyst | |\n| Date | |\n| Status | [ ] In Progress / [ ] Complete |\n\n## Hypothesis\n> An adversary with elevated AD privileges is performing DCSync to extract password hashes from Active Directory by replicating directory data from a non-domain-controller machine.\n\n## Pre-Hunt Checklist\n- [ ] Event ID 4662 audit policy enabled on all DCs\n- [ ] SACL configured on domain root object\n- [ ] Domain controller inventory documented\n- [ ] Known service accounts with replication rights documented\n- [ ] Azure AD Connect accounts identified (if hybrid)\n\n## DCSync Detection Findings\n\n| # | Timestamp | Subject Account | Source Machine | Target DC | Replication Rights | Severity |\n|---|-----------|-----------------|----------------|-----------|-------------------|----------|\n| 1 | | | | | | |\n\n## Accounts with Replication Rights Audit\n\n| Account | Type | Rights | Legitimate | Justification |\n|---------|------|--------|-----------|---------------|\n| | User/Service/Computer | Get-Changes / Get-Changes-All | Yes/No | |\n\n## Post-DCSync Impact Assessment\n\n| Check | Status | Notes |\n|-------|--------|-------|\n| KRBTGT hash potentially compromised | | |\n| Domain Admin hashes extracted | | |\n| Service account credentials at risk | | |\n| Golden Ticket creation possible | | |\n\n## Response Actions\n1. **Disable**: [Compromised accounts]\n2. **Reset**: [KRBTGT password -- twice, 12 hours apart]\n3. **Revoke**: [Unauthorized replication rights]\n4. **Investigate**: [Source machine forensics]\n5. **Monitor**: [Subsequent credential abuse attempts]\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":1674,"content_sha256":"5a3d523e81de3de12a4ca628bfd20bf1dfc548bd74ae0ebd8f8b0a4c62958ab0"},{"filename":"references/api-reference.md","content":"# API Reference: Detecting DCSync Attack in Active Directory\n\n## DCSync Replication GUIDs\n\n| GUID | Right |\n|------|-------|\n| 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 | DS-Replication-Get-Changes |\n| 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 | DS-Replication-Get-Changes-All |\n| 89e95b76-444d-4c62-991a-0facbeda640c | DS-Replication-Get-Changes-In-Filtered-Set |\n\n## Windows Event ID 4662 Fields\n\n```xml\n\u003cEventID>4662\u003c/EventID>\n\u003cData Name=\"SubjectUserName\">attacker\u003c/Data>\n\u003cData Name=\"SubjectDomainName\">CORP\u003c/Data>\n\u003cData Name=\"Properties\">{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}\u003c/Data>\n\u003cData Name=\"ObjectName\">DC=corp,DC=local\u003c/Data>\n```\n\n## python-evtx Usage\n\n```python\nimport Evtx.Evtx as evtx\nwith evtx.Evtx(\"Security.evtx\") as log:\n for record in log.records():\n xml = record.xml()\n # Filter for EventID 4662 with replication GUIDs\n```\n\n## Splunk SPL Detection Query\n\n```spl\nindex=wineventlog EventCode=4662\n| where Properties IN (\"*1131f6aa*\", \"*1131f6ad*\", \"*89e95b76*\")\n| where NOT match(SubjectUserName, \".*\\\\$\")\n| stats count values(Properties) by SubjectUserName Computer\n```\n\n## KQL (Microsoft Sentinel)\n\n```kql\nSecurityEvent\n| where EventID == 4662\n| where Properties has \"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2\"\n| where SubjectUserName !endswith \"$\"\n| project TimeGenerated, SubjectUserName, Computer, Properties\n```\n\n## PowerShell - Audit Replication Permissions\n\n```powershell\n$domain = (Get-ADDomain).DistinguishedName\n$acl = Get-Acl \"AD:\\$domain\"\n$acl.Access | Where-Object {\n $_.ObjectType -in @(\n '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2',\n '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'\n )\n} | Select IdentityReference, ObjectType\n```\n\n## Attack Tools Reference\n\n| Tool | Command |\n|------|---------|\n| Mimikatz | `lsadump::dcsync /user:krbtgt /domain:corp.local` |\n| Impacket | `secretsdump.py corp/admin:pass@dc-ip` |\n| DSInternals | `Get-ADReplAccount -SamAccountName krbtgt` |\n\n## CLI Usage\n\n```bash\npython agent.py --security-log Security.evtx --dc-accounts known_dcs.txt\npython agent.py --generate-sigma\npython agent.py --check-perms\n```\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":2081,"content_sha256":"308974d465d8ff50203a724f6c82ce7d32d34ad13f2add760def86e44b1bea2f"},{"filename":"references/standards.md","content":"# Standards and References - DCSync Attack Detection\n\n## MITRE ATT&CK Credential Access (TA0006)\n\n| Technique | Name | Relevance |\n|-----------|------|-----------|\n| T1003.006 | OS Credential Dumping: DCSync | Primary technique |\n| T1003.001 | LSASS Memory | Often combined with DCSync for complete credential theft |\n| T1003.003 | NTDS | Alternative to DCSync using ntdsutil or volume shadow copy |\n| T1078.002 | Valid Accounts: Domain Accounts | Using dumped credentials |\n| T1558.001 | Steal or Forge Kerberos Tickets: Golden Ticket | Primary goal of KRBTGT hash extraction |\n| T1222.001 | File and Directory Permissions Modification | Granting replication rights |\n\n## Critical Replication GUIDs\n\n| GUID | Permission Name | Risk |\n|------|----------------|------|\n| 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 | DS-Replication-Get-Changes | Required for DCSync |\n| 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 | DS-Replication-Get-Changes-All | Includes confidential attributes (passwords) |\n| 89e95b76-444d-4c62-991a-0facbeda640c | DS-Replication-Get-Changes-In-Filtered-Set | Partial replication rights |\n\n## Windows Event IDs for DCSync Detection\n\n| Event ID | Source | Description |\n|----------|--------|-------------|\n| 4662 | Security | Directory Service Object Access (primary detection) |\n| 4624 | Security | Successful logon (correlate source of replication) |\n| 4672 | Security | Special privileges assigned (admin logon) |\n| 4738 | Security | User account changed (permission grants) |\n| 5136 | Security | Directory Service Object modified (ACL changes) |\n\n## Known Threat Actors Using DCSync\n\n| Actor | Context |\n|-------|---------|\n| APT29 (Cozy Bear) | Used DCSync in SolarWinds campaign |\n| FIN6 | DCSync for credential harvesting in retail/hospitality |\n| Wizard Spider | TrickBot/Conti ransomware using DCSync pre-encryption |\n| APT28 (Fancy Bear) | DCSync in government network intrusions |\n| LAPSUS$ | DCSync after AD compromise for data theft |\n\n## Legitimate Replication Sources\n\n| Source | Reason | How to Distinguish |\n|--------|--------|--------------------|\n| Domain Controllers | Normal AD replication | Computer account ends with $ |\n| Azure AD Connect | Hybrid identity sync | MSOL_ service account |\n| Backup Software | AD backup operations | Documented service accounts |\n| Migration Tools | Cross-forest migrations | Temporary, documented operations |\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":2372,"content_sha256":"0cd96908f7f38d0bfed05dfa749db64db5dd370301034c7c5fb492c8a0e682cb"},{"filename":"references/workflows.md","content":"# Detailed Hunting Workflow - DCSync Attack Detection\n\n## Phase 1: Enumerate Legitimate Replication Accounts\n\n### Step 1.1 - List All Domain Controllers\n```powershell\nGet-ADDomainController -Filter * | Select-Object Name, IPv4Address, OperatingSystem\n```\n\n### Step 1.2 - Find Accounts with Replication Rights\n```powershell\n# Find all accounts with Replicating Directory Changes\nImport-Module ActiveDirectory\n$rootDSE = Get-ADRootDSE\n$domainDN = $rootDSE.defaultNamingContext\n$acl = Get-Acl \"AD:\\$domainDN\"\n$acl.Access | Where-Object {\n $_.ObjectType -eq \"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2\" -or\n $_.ObjectType -eq \"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2\"\n} | Select-Object IdentityReference, ActiveDirectoryRights, ObjectType\n```\n\n### Step 1.3 - BloodHound Query for DCSync Rights\n```cypher\nMATCH p=(n)-[:GetChanges|GetChangesAll]->(d:Domain)\nWHERE NOT n:Domain\nRETURN n.name, labels(n)\n```\n\n## Phase 2: Deploy Detection\n\n### Step 2.1 - Enable Required Audit Policy\n```cmd\nauditpol /set /subcategory:\"Directory Service Access\" /success:enable /failure:enable\n```\n\n### Step 2.2 - Configure SACL on Domain Object\nApply SACL to the domain root object monitoring for:\n- Control Access rights\n- Access to Replication GUIDs\n- By Everyone or Authenticated Users\n\n## Phase 3: Active Monitoring\n\n### Step 3.1 - Splunk Real-Time Detection\n```spl\nindex=wineventlog source=\"WinEventLog:Security\" EventCode=4662\n| rex field=Properties \"(?\u003cguid>\\{[0-9a-f-]+\\})\"\n| where guid IN (\"{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}\",\n \"{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}\",\n \"{89e95b76-444d-4c62-991a-0facbeda640c}\")\n| lookup dc_accounts SubjectUserName OUTPUT is_dc\n| where is_dc!=\"true\"\n| eval alert_severity=\"CRITICAL\"\n| table _time SubjectUserName SubjectDomainName Computer guid alert_severity\n```\n\n### Step 3.2 - Network-Level Detection\n```spl\nindex=zeek sourcetype=dce_rpc\n| where operation=\"DRSGetNCChanges\"\n| lookup domain_controllers src_ip OUTPUT is_dc\n| where is_dc!=\"true\"\n| table _time src_ip dst_ip operation\n```\n\n## Phase 4: Investigation\n\n### Step 4.1 - Determine Source Machine\nCorrelate Event 4662 with Event 4624 to identify the source workstation:\n```spl\nindex=wineventlog EventCode=4624 LogonType=3\n| where TargetUserName=[suspected_account]\n| table _time TargetUserName IpAddress WorkstationName LogonType\n```\n\n### Step 4.2 - Check for Subsequent Credential Abuse\n```spl\nindex=wineventlog EventCode=4769\n| where ServiceName=\"krbtgt\"\n| where TicketEncryptionType=\"0x17\"\n| table _time TargetUserName ServiceName IpAddress TicketEncryptionType\n```\n\n## Phase 5: Response\n\n### Step 5.1 - Immediate Containment\n1. Disable compromised account immediately\n2. Rotate KRBTGT password (twice, 12 hours apart)\n3. Reset all service account passwords\n4. Block source IP at network level\n5. Isolate source machine for forensics\n\n### Step 5.2 - Remediation\n1. Remove unauthorized replication rights\n2. Review all accounts with DCSync-capable permissions\n3. Implement tiered administration model\n4. Enable Microsoft Defender for Identity DCSync alerts\n5. Deploy Protected Users security group for admin accounts\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":3106,"content_sha256":"fe6dfe614aa570184623a9ff723737a1c1a3b47f4a91bdf931e3870780c26d7f"},{"filename":"scripts/agent.py","content":"#!/usr/bin/env python3\n\"\"\"DCSync attack detection agent for Active Directory environments.\n\nParses Windows Security Event ID 4662 logs to detect non-domain-controller\naccounts requesting directory replication (DCSync technique T1003.006).\n\"\"\"\n\nimport argparse\nimport json\nimport re\nfrom datetime import datetime\n\ntry:\n import Evtx.Evtx as evtx\nexcept ImportError:\n evtx = None\n\nREPLICATION_GUIDS = {\n \"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2\": \"DS-Replication-Get-Changes\",\n \"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2\": \"DS-Replication-Get-Changes-All\",\n \"89e95b76-444d-4c62-991a-0facbeda640c\": \"DS-Replication-Get-Changes-In-Filtered-Set\",\n}\n\nKNOWN_REPLICATION_ACCOUNTS = set()\n\n\ndef load_dc_accounts(filepath):\n if not filepath:\n return set()\n accounts = set()\n with open(filepath, \"r\") as f:\n for line in f:\n line = line.strip()\n if line and not line.startswith(\"#\"):\n accounts.add(line.upper())\n return accounts\n\n\ndef parse_4662_events(filepath, dc_accounts):\n if evtx is None:\n return {\"error\": \"python-evtx not installed: pip install python-evtx\"}\n findings = []\n total_4662 = 0\n\n with evtx.Evtx(filepath) as log:\n for record in log.records():\n xml = record.xml()\n if \"\u003cEventID>4662\u003c/EventID>\" not in xml:\n continue\n total_4662 += 1\n\n props = re.search(r'\u003cData Name=\"Properties\">([^\u003c]+)', xml)\n if not props:\n continue\n prop_text = props.group(1).lower()\n\n matched_rights = []\n for guid, name in REPLICATION_GUIDS.items():\n if guid in prop_text:\n matched_rights.append(name)\n if not matched_rights:\n continue\n\n subject = re.search(r'\u003cData Name=\"SubjectUserName\">([^\u003c]+)', xml)\n domain = re.search(r'\u003cData Name=\"SubjectDomainName\">([^\u003c]+)', xml)\n logon_id = re.search(r'\u003cData Name=\"SubjectLogonId\">([^\u003c]+)', xml)\n object_name = re.search(r'\u003cData Name=\"ObjectName\">([^\u003c]+)', xml)\n time_created = re.search(r'SystemTime=\"([^\"]+)\"', xml)\n computer = re.search(r'\u003cComputer>([^\u003c]+)', xml)\n\n subject_name = subject.group(1) if subject else \"\"\n domain_name = domain.group(1) if domain else \"\"\n full_account = f\"{domain_name}\\\\{subject_name}\".upper()\n\n if subject_name.endswith(\"$\"):\n if subject_name.upper().rstrip(\"$\") in dc_accounts or \\\n full_account.rstrip(\"$\") in dc_accounts:\n continue\n\n if subject_name.upper() in dc_accounts or full_account in dc_accounts:\n continue\n\n is_machine = subject_name.endswith(\"$\")\n severity = \"HIGH\" if is_machine else \"CRITICAL\"\n\n findings.append({\n \"event_id\": 4662,\n \"timestamp\": time_created.group(1) if time_created else \"\",\n \"subject_user\": subject_name,\n \"subject_domain\": domain_name,\n \"logon_id\": logon_id.group(1) if logon_id else \"\",\n \"computer\": computer.group(1) if computer else \"\",\n \"object_name\": object_name.group(1) if object_name else \"\",\n \"replication_rights\": matched_rights,\n \"is_machine_account\": is_machine,\n \"severity\": severity,\n \"mitre\": \"T1003.006\",\n \"description\": \"Non-DC account requesting directory replication\",\n })\n\n return {\"total_4662_events\": total_4662, \"dcsync_detections\": findings}\n\n\ndef check_replication_permissions_powershell():\n query = \"\"\"\nImport-Module ActiveDirectory\n$domain = (Get-ADDomain).DistinguishedName\n$acl = Get-Acl \"AD:\\\\$domain\"\n$repl_rights = @(\n '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2',\n '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'\n)\n$acl.Access | Where-Object {\n $_.ObjectType -in $repl_rights -and\n $_.AccessControlType -eq 'Allow'\n} | Select-Object IdentityReference, ObjectType, AccessControlType |\n ConvertTo-Json\n\"\"\"\n return {\"powershell_query\": query.strip(),\n \"note\": \"Run on a domain controller with RSAT tools\"}\n\n\ndef generate_sigma_rule():\n return {\n \"title\": \"DCSync Activity - Non-DC Replication Request\",\n \"status\": \"stable\",\n \"logsource\": {\"product\": \"windows\", \"service\": \"security\"},\n \"detection\": {\n \"selection\": {\n \"EventID\": 4662,\n \"Properties|contains\": [\n \"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2\",\n \"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2\",\n ]\n },\n \"filter_dc\": {\"SubjectUserName|endswith\": \"$\"},\n \"condition\": \"selection and not filter_dc\"\n },\n \"level\": \"critical\",\n \"tags\": [\"attack.credential_access\", \"attack.t1003.006\"],\n }\n\n\ndef main():\n parser = argparse.ArgumentParser(description=\"DCSync Attack Detector\")\n parser.add_argument(\"--security-log\", help=\"Windows Security EVTX file\")\n parser.add_argument(\"--dc-accounts\", help=\"File with known DC account names (one per line)\")\n parser.add_argument(\"--generate-sigma\", action=\"store_true\", help=\"Output Sigma detection rule\")\n parser.add_argument(\"--check-perms\", action=\"store_true\",\n help=\"Show PowerShell query for replication permissions\")\n args = parser.parse_args()\n\n results = {\"timestamp\": datetime.utcnow().isoformat() + \"Z\"}\n\n dc_accounts = load_dc_accounts(args.dc_accounts)\n dc_accounts.update(KNOWN_REPLICATION_ACCOUNTS)\n\n if args.security_log:\n parsed = parse_4662_events(args.security_log, dc_accounts)\n if isinstance(parsed, dict) and \"error\" in parsed:\n results[\"error\"] = parsed[\"error\"]\n else:\n results.update(parsed)\n results[\"total_detections\"] = len(parsed.get(\"dcsync_detections\", []))\n\n if args.generate_sigma:\n results[\"sigma_rule\"] = generate_sigma_rule()\n\n if args.check_perms:\n results[\"permission_check\"] = check_replication_permissions_powershell()\n\n print(json.dumps(results, indent=2))\n\n\nif __name__ == \"__main__\":\n main()\n","content_type":"text/x-python; charset=utf-8","language":"python","size":6252,"content_sha256":"b39b38d16e109a7030f60d7c72cb6075e1d55a64e40ee06e9ea7e010f96b9118"},{"filename":"scripts/process.py","content":"#!/usr/bin/env python3\n\"\"\"\nDCSync Attack Detection Script\nAnalyzes Windows Security Event 4662 logs to identify non-domain-controller\naccounts requesting Active Directory replication rights.\n\"\"\"\n\nimport json\nimport csv\nimport argparse\nimport datetime\nimport re\nfrom pathlib import Path\n\nREPLICATION_GUIDS = {\n \"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2\": \"DS-Replication-Get-Changes\",\n \"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2\": \"DS-Replication-Get-Changes-All\",\n \"89e95b76-444d-4c62-991a-0facbeda640c\": \"DS-Replication-Get-Changes-In-Filtered-Set\",\n}\n\nGUID_PATTERN = re.compile(r\"[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\", re.IGNORECASE)\n\n\ndef load_dc_list(dc_file: str) -> set:\n \"\"\"Load known domain controller accounts from file.\"\"\"\n dcs = set()\n if dc_file:\n path = Path(dc_file)\n if path.exists():\n with open(path, \"r\", encoding=\"utf-8\") as f:\n for line in f:\n line = line.strip()\n if line and not line.startswith(\"#\"):\n dcs.add(line.lower())\n return dcs\n\n\ndef parse_events(input_path: str) -> list[dict]:\n \"\"\"Parse Windows event log exports (JSON, CSV, EVTX-exported CSV).\"\"\"\n path = Path(input_path)\n events = []\n if path.suffix == \".json\":\n with open(path, \"r\", encoding=\"utf-8\") as f:\n data = json.load(f)\n events = data if isinstance(data, list) else data.get(\"events\", [])\n elif path.suffix == \".csv\":\n with open(path, \"r\", encoding=\"utf-8-sig\") as f:\n events = [dict(row) for row in csv.DictReader(f)]\n return events\n\n\ndef detect_dcsync(events: list[dict], known_dcs: set) -> list[dict]:\n \"\"\"Detect DCSync activity from Event 4662 logs.\"\"\"\n findings = []\n for event in events:\n event_id = str(event.get(\"EventID\", event.get(\"EventCode\", event.get(\"event_id\", \"\"))))\n if event_id != \"4662\":\n continue\n\n properties = event.get(\"Properties\", event.get(\"properties\", \"\"))\n if not properties:\n continue\n\n found_guids = GUID_PATTERN.findall(properties.lower())\n replication_guids = [g for g in found_guids if g in REPLICATION_GUIDS]\n if not replication_guids:\n continue\n\n subject_user = event.get(\"SubjectUserName\", event.get(\"subject_user_name\", \"\"))\n subject_domain = event.get(\"SubjectDomainName\", event.get(\"subject_domain_name\", \"\"))\n computer = event.get(\"Computer\", event.get(\"computer\", \"\"))\n timestamp = event.get(\"TimeCreated\", event.get(\"_time\", event.get(\"timestamp\", \"\")))\n\n # Check if this is a legitimate domain controller\n is_dc = False\n subject_lower = subject_user.lower()\n if subject_lower.endswith(\"$\"):\n if subject_lower in known_dcs or subject_lower.rstrip(\"$\") in known_dcs:\n is_dc = True\n\n if is_dc:\n continue\n\n replication_rights = [REPLICATION_GUIDS[g] for g in replication_guids]\n has_get_changes_all = \"DS-Replication-Get-Changes-All\" in replication_rights\n\n severity = \"CRITICAL\" if has_get_changes_all else \"HIGH\"\n\n findings.append({\n \"timestamp\": timestamp,\n \"subject_user\": subject_user,\n \"subject_domain\": subject_domain,\n \"computer\": computer,\n \"replication_guids\": replication_guids,\n \"replication_rights\": replication_rights,\n \"has_get_changes_all\": has_get_changes_all,\n \"is_machine_account\": subject_user.endswith(\"$\"),\n \"severity\": severity,\n \"description\": f\"Non-DC account '{subject_user}' requested replication rights: {', '.join(replication_rights)}\",\n })\n\n return sorted(findings, key=lambda x: x.get(\"timestamp\", \"\"), reverse=True)\n\n\ndef run_hunt(input_path: str, dc_file: str, output_dir: str) -> None:\n \"\"\"Execute DCSync detection hunt.\"\"\"\n print(f\"[*] DCSync Detection Hunt - {datetime.datetime.now().isoformat()}\")\n\n known_dcs = load_dc_list(dc_file)\n print(f\"[*] Known domain controllers: {len(known_dcs)}\")\n\n events = parse_events(input_path)\n print(f\"[*] Loaded {len(events)} events\")\n\n findings = detect_dcsync(events, known_dcs)\n print(f\"[!] DCSync detections: {len(findings)}\")\n\n output_path = Path(output_dir)\n output_path.mkdir(parents=True, exist_ok=True)\n\n with open(output_path / \"dcsync_findings.json\", \"w\", encoding=\"utf-8\") as f:\n json.dump({\n \"hunt_id\": f\"TH-DCSYNC-{datetime.date.today().isoformat()}\",\n \"total_events\": len(events),\n \"findings_count\": len(findings),\n \"findings\": findings,\n }, f, indent=2)\n\n with open(output_path / \"dcsync_report.md\", \"w\", encoding=\"utf-8\") as f:\n f.write(\"# DCSync Attack Detection Report\\n\\n\")\n f.write(f\"**Date**: {datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S')}\\n\")\n f.write(f\"**Events Analyzed**: {len(events)}\\n\")\n f.write(f\"**Findings**: {len(findings)}\\n\\n\")\n for finding in findings:\n f.write(f\"## [{finding['severity']}] {finding['subject_user']}\\n\")\n f.write(f\"- **Time**: {finding['timestamp']}\\n\")\n f.write(f\"- **Computer**: {finding['computer']}\\n\")\n f.write(f\"- **Rights**: {', '.join(finding['replication_rights'])}\\n\")\n f.write(f\"- **Description**: {finding['description']}\\n\\n\")\n\n print(f\"[+] Results written to {output_dir}\")\n\n\ndef main():\n parser = argparse.ArgumentParser(description=\"DCSync Attack Detection\")\n parser.add_argument(\"--input\", \"-i\", required=True, help=\"Path to Windows event logs\")\n parser.add_argument(\"--dc-list\", \"-d\", default=\"\", help=\"File with known DC accounts\")\n parser.add_argument(\"--output\", \"-o\", default=\"./dcsync_hunt_output\", help=\"Output directory\")\n args = parser.parse_args()\n run_hunt(args.input, args.dc_list, args.output)\n\n\nif __name__ == \"__main__\":\n main()\n","content_type":"text/x-python; charset=utf-8","language":"python","size":5977,"content_sha256":"d9d2016a63cee09e13d4dd875bcc0775c1448260edbd1c544f3b32670a81481a"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Detecting DCSync Attack in Active Directory","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"When to Use","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When hunting for credential theft in Active Directory environments","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"After compromise of accounts with Replicating Directory Changes permissions","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When investigating suspected use of Mimikatz or Impacket secretsdump","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"During incident response involving lateral movement with domain admin credentials","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When auditing AD replication permissions as part of security hardening","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Prerequisites","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Windows Security Event Logs with Event ID 4662 (Object Access) enabled","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Advanced Audit Policy: Audit Directory Service Access enabled","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Domain Controller event forwarding to SIEM","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Knowledge of legitimate domain controller hostnames and IPs","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Directory Service Access auditing with SACL on domain object","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Workflow","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Identify Legitimate Replication Sources","type":"text","marks":[{"type":"strong"}]},{"text":": Document all domain controllers in the environment by hostname, IP, and computer account. Only these should perform directory replication.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Enable Required Auditing","type":"text","marks":[{"type":"strong"}]},{"text":": Configure Advanced Audit Policy to capture Event ID 4662 on domain controllers with specific GUID monitoring for replication rights.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Monitor Replication Rights Access","type":"text","marks":[{"type":"strong"}]},{"text":": Track access to three critical GUIDs -- DS-Replication-Get-Changes (1131f6aa-9c07-11d1-f79f-00c04fc2dcd2), DS-Replication-Get-Changes-All (1131f6ad-9c07-11d1-f79f-00c04fc2dcd2), and DS-Replication-Get-Changes-In-Filtered-Set (89e95b76-444d-4c62-991a-0facbeda640c).","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Detect Non-DC Replication Requests","type":"text","marks":[{"type":"strong"}]},{"text":": Alert when any account NOT associated with a domain controller requests replication rights.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Correlate with Network Traffic","type":"text","marks":[{"type":"strong"}]},{"text":": DCSync generates replication traffic (MS-DRSR/RPC) from the attacker's machine to the DC. Monitor for DrsGetNCChanges RPC calls from non-DC IP addresses.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Investigate Source Context","type":"text","marks":[{"type":"strong"}]},{"text":": Examine the process, user account, and machine originating the replication request.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Check for Credential Abuse","type":"text","marks":[{"type":"strong"}]},{"text":": After DCSync detection, audit for subsequent use of extracted hashes (pass-the-hash, golden ticket creation).","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Key Concepts","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Concept","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"T1003.006","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"OS Credential Dumping: DCSync","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"DCSync","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Mimicking domain controller replication to extract credentials","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"DsGetNCChanges","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"RPC function used to request AD replication data","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"DS-Replication-Get-Changes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"AD permission required (GUID: 1131f6aa-...)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"DS-Replication-Get-Changes-All","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Permission including confidential attributes (GUID: 1131f6ad-...)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"MS-DRSR","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Microsoft Directory Replication Service Remote Protocol","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"KRBTGT Hash","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Key target of DCSync enabling Golden Ticket attacks","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Event ID 4662","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Directory service object access audit event","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Tools & Systems","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Tool","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Purpose","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Mimikatz (lsadump::dcsync)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Primary DCSync attack tool","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Impacket secretsdump.py","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Python-based DCSync implementation","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"DSInternals","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"PowerShell module for AD replication","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"BloodHound","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Map accounts with replication rights","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Splunk / Elastic","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SIEM correlation of 4662 events","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Microsoft Defender for Identity","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Native DCSync detection","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"CrowdStrike Falcon","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"EDR-based DCSync detection","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Detection Queries","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Splunk -- DCSync Detection via Event 4662","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"spl"},"content":[{"text":"index=wineventlog EventCode=4662\n| where Properties IN (\"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*89e95b76-444d-4c62-991a-0facbeda640c*\")\n| where NOT match(SubjectUserName, \".*\\\\$\")\n| where NOT SubjectUserName IN (\"known_svc_account1\", \"known_svc_account2\")\n| stats count values(Properties) as ReplicationRights by SubjectUserName SubjectDomainName Computer\n| where count > 0\n| table SubjectUserName SubjectDomainName Computer count ReplicationRights","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"KQL -- Microsoft Sentinel DCSync Detection","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"kql"},"content":[{"text":"SecurityEvent\n| where EventID == 4662\n| where Properties has \"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2\"\n or Properties has \"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2\"\n| where SubjectUserName !endswith \"$\"\n| where SubjectUserName !in (\"AzureADConnect\", \"MSOL_*\")\n| project TimeGenerated, SubjectUserName, SubjectDomainName, Computer, Properties\n| sort by TimeGenerated desc","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Sigma Rule -- DCSync Activity","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"title: DCSync Activity Detected - Non-DC Replication Request\nstatus: stable\nlogsource:\n product: windows\n service: security\ndetection:\n selection:\n EventID: 4662\n Properties|contains:\n - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'\n - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'\n filter_dc:\n SubjectUserName|endswith: '

Detecting DCSync Attack in Active Directory When to Use - When hunting for credential theft in Active Directory environments - After compromise of accounts with Replicating Directory Changes permissions - When investigating suspected use of Mimikatz or Impacket secretsdump - During incident response involving lateral movement with domain admin credentials - When auditing AD replication permissions as part of security hardening Prerequisites - Windows Security Event Logs with Event ID 4662 (Object Access) enabled - Advanced Audit Policy: Audit Directory Service Access enabled - Domain Controll…

\n condition: selection and not filter_dc\nlevel: critical\ntags:\n - attack.credential_access\n - attack.t1003.006","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Common Scenarios","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Mimikatz DCSync","type":"text","marks":[{"type":"strong"}]},{"text":": Attacker with Domain Admin privileges runs ","type":"text"},{"text":"lsadump::dcsync /user:krbtgt","type":"text","marks":[{"type":"code_inline"}]},{"text":" to extract KRBTGT hash for Golden Ticket creation.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Impacket secretsdump","type":"text","marks":[{"type":"strong"}]},{"text":": Remote DCSync via ","type":"text"},{"text":"secretsdump.py domain/user:password@dc-ip","type":"text","marks":[{"type":"code_inline"}]},{"text":" extracting all domain hashes.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Delegated Replication Rights","type":"text","marks":[{"type":"strong"}]},{"text":": Attacker grants themselves Replicating Directory Changes rights via ACL modification before performing DCSync.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Azure AD Connect Abuse","type":"text","marks":[{"type":"strong"}]},{"text":": Compromising the Azure AD Connect service account which has legitimate replication rights.","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"DSInternals PowerShell","type":"text","marks":[{"type":"strong"}]},{"text":": Using ","type":"text"},{"text":"Get-ADReplAccount","type":"text","marks":[{"type":"code_inline"}]},{"text":" cmdlet to replicate specific account credentials.","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Output Format","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"Hunt ID: TH-DCSYNC-[DATE]-[SEQ]\nAlert Severity: Critical\nSource Account: [Account requesting replication]\nSource Machine: [Hostname/IP of requestor]\nTarget DC: [Domain controller receiving request]\nReplication Rights: [GUIDs accessed]\nTimestamp: [Event time]\nLegitimate DC: [Yes/No]\nKnown Service Account: [Yes/No]\nRisk Assessment: [Critical - non-DC replication detected]","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"detecting-dcsync-attack-in-active-directory","tags":["threat-hunting","active-directory","dcsync","credential-theft","mitre-t1003-006","mimikatz","kerberos"],"author":"@skillopedia","domain":"cybersecurity","source":{"stars":13207,"repo_name":"anthropic-cybersecurity-skills","origin_url":"https://github.com/mukul975/anthropic-cybersecurity-skills/blob/HEAD/skills/detecting-dcsync-attack-in-active-directory/SKILL.md","repo_owner":"mukul975","body_sha256":"cccd6abc8a68f7e3b954e08061640d124afc4ed64f87476d058bc6339d07e987","cluster_key":"15a38286e987f7c4feb02cd827bfccbf770b95f25382872d395867ab60c4e4a9","clean_bundle":{"format":"clean-skill-bundle-v1","source":"mukul975/anthropic-cybersecurity-skills/skills/detecting-dcsync-attack-in-active-directory/SKILL.md","attachments":[{"id":"a3ebb814-cabd-515b-a894-bbdcf61c1379","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/a3ebb814-cabd-515b-a894-bbdcf61c1379/attachment.md","path":"assets/template.md","size":1674,"sha256":"5a3d523e81de3de12a4ca628bfd20bf1dfc548bd74ae0ebd8f8b0a4c62958ab0","contentType":"text/markdown; charset=utf-8"},{"id":"8c38e551-b325-56a5-bdfe-dcca958640b8","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/8c38e551-b325-56a5-bdfe-dcca958640b8/attachment.md","path":"references/api-reference.md","size":2081,"sha256":"308974d465d8ff50203a724f6c82ce7d32d34ad13f2add760def86e44b1bea2f","contentType":"text/markdown; charset=utf-8"},{"id":"34a0d5dc-317d-512e-abd5-03bebf4d3392","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/34a0d5dc-317d-512e-abd5-03bebf4d3392/attachment.md","path":"references/standards.md","size":2372,"sha256":"0cd96908f7f38d0bfed05dfa749db64db5dd370301034c7c5fb492c8a0e682cb","contentType":"text/markdown; charset=utf-8"},{"id":"fc3e05b2-9677-5cc6-8a88-27e88056f28a","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/fc3e05b2-9677-5cc6-8a88-27e88056f28a/attachment.md","path":"references/workflows.md","size":3106,"sha256":"fe6dfe614aa570184623a9ff723737a1c1a3b47f4a91bdf931e3870780c26d7f","contentType":"text/markdown; charset=utf-8"},{"id":"0f9d32fa-59f3-5c0c-a36d-63066e20d1da","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/0f9d32fa-59f3-5c0c-a36d-63066e20d1da/attachment.py","path":"scripts/agent.py","size":6252,"sha256":"b39b38d16e109a7030f60d7c72cb6075e1d55a64e40ee06e9ea7e010f96b9118","contentType":"text/x-python; charset=utf-8"},{"id":"6c1eec8d-8ccd-5ac7-a482-f3aa22e3f98d","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/6c1eec8d-8ccd-5ac7-a482-f3aa22e3f98d/attachment.py","path":"scripts/process.py","size":5977,"sha256":"d9d2016a63cee09e13d4dd875bcc0775c1448260edbd1c544f3b32670a81481a","contentType":"text/x-python; charset=utf-8"}],"bundle_sha256":"7a637e5a7e8116c0229f0b1be540c77c83b7c6eade82717e88a6e4375ecbcd93","attachment_count":6,"text_attachments":6,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":2,"skill_md_path":"skills/detecting-dcsync-attack-in-active-directory/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":1},"license":"Apache-2.0","version":"v1","category":"security","nist_csf":["DE.CM-01","DE.AE-02","DE.AE-07","ID.RA-05"],"subdomain":"threat-hunting","import_tag":"clean-skills-v1","description":"Detect DCSync attacks where adversaries abuse Active Directory replication privileges to extract password hashes by monitoring for non-domain-controller accounts requesting directory replication via DsGetNCChanges.","d3fend_techniques":["Application Protocol Command Analysis","Network Isolation","Network Traffic Analysis","Client-server Payload Profiling","Platform Monitoring"]}},"renderedAt":1782987331543}

Detecting DCSync Attack in Active Directory When to Use - When hunting for credential theft in Active Directory environments - After compromise of accounts with Replicating Directory Changes permissions - When investigating suspected use of Mimikatz or Impacket secretsdump - During incident response involving lateral movement with domain admin credentials - When auditing AD replication permissions as part of security hardening Prerequisites - Windows Security Event Logs with Event ID 4662 (Object Access) enabled - Advanced Audit Policy: Audit Directory Service Access enabled - Domain Controll…