This note documents detection patterns related to DCSync within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4662 | Directory object operation | Critical | Key indicator of DCSync. Look for access to replication-related permissions such as DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, and DS-Replication-Get-Changes-In-Filtered-Set. Review SubjectUserName and ObjectType. |
| Security | 4624 | Successful logon | High | Often precedes DCSync when attacker authenticates to a DC using compromised credentials. Review LogonType, WorkstationName, and IpAddress. |
| Security | 4672 | Special privileges assigned | High | Indicates privileged session such as Domain Admin which may perform replication operations. |
| Security | 4688 | Process creation | Medium | May reveal execution of tools performing DCSync operations such as mimikatz. |
| Sysmon | 1 | Process creation | High | Look for mimikatz execution or other credential extraction utilities. |
| Sysmon | 3 | Network connection | High | Connections from unusual hosts directly communicating with domain controllers using RPC replication protocols. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Replication from non-DC host | Directory replication requests originating from workstation or server not designated as a domain controller | Critical | Strong signal of DCSync activity. |
| Unusual privileged account usage | Accounts not normally performing directory replication requesting replication privileges | High | Investigate service accounts or compromised admin accounts. |
| Abnormal LDAP/RPC traffic | Increased replication traffic between host and domain controller | High | Often observed when attacker pulls full credential database. |
| Credential theft follow-on | Authentication attempts using domain admin or high privilege accounts | Critical | Indicates attacker successfully extracted credentials. |
Properties 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 or 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 present in the event | Replicating Directory Changes and Replicating Directory Changes All | Critical | These rights appear in Security Event 4662 when an object is accessed with replication privileges |
Common Tools
| Tool | Usage |
|---|---|
| Mimikatz | Uses lsadump::dcsync to replicate password hashes from domain controllers. |
| Impacket secretsdump.py | Performs DCSync remotely to retrieve domain credential hashes. |
| Cobalt Strike | Provides modules to execute DCSync using compromised admin privileges. |
| SharpHound | Used to discover accounts with replication permissions. |
Relevant Artifacts
- Windows Security logs (4662, 4624, 4672, 4688)
- Domain controller directory service logs
- Sysmon logs (1, 3)
- Network telemetry showing RPC replication traffic
- EDR telemetry identifying suspicious credential extraction tools
- PowerShell logs if replication commands executed via scripts
- Account privilege change logs (4728, 4732)
- Authentication logs indicating compromised admin accounts
MITRE ATT&CK References
- T1003.006 DCSync
- T1003 OS Credential Dumping
- T1078 Valid Accounts
- T1552 Unsecured Credentials
Decision Tree
- Is the suspicious event present?
- Look for Security Event 4662 indicating replication permission usage.
- What host generated the event?
- Determine if replication request originated from a non-domain-controller host.
- Is the account expected to perform this action?
- Only domain controllers normally perform replication operations.
- Pivot:
- Source host → analyze processes executing credential extraction tools.
- Account → verify privileges and recent group membership changes.
- Network → inspect RPC traffic between hosts and domain controllers.
- Confirm exploitation
- Determine whether extracted credentials were used for lateral movement or persistence.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4662
| where Properties contains "Replicating Directory Changes"
| project TimeGenerated, Computer, SubjectUserName, ObjectType
SecurityEvent
| where EventID == 4662
| where SubjectUserName !contains "$"
| project TimeGenerated, SubjectUserName, Computer, ObjectType
EQL
any where event.code == "4662" and winlog.event_data.Properties like "*Replicating Directory Changes*"
Sigma
title: Possible DCSync Activity
id: dcsync-detection
status: experimental
description: Detects potential DCSync attempts by monitoring directory replication permission usage
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
Properties|contains:
- "Replicating Directory Changes"
condition: selection
fields:
- SubjectUserName
- ObjectType
falsepositives:
- Legitimate domain controller replication
- Authorized directory synchronization services
level: critical
tags:
- attack.credential_access
- attack.t1003.006
Splunk
index=main earliest=1690544278 latest=1690544280 EventCode=4662 Message="*Replicating Directory Changes*" | rex field=Message "(?P<property>Replicating Directory Changes.*)" | table _time, user, object_file_name, Object_Server, property
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Replication permissions | Restrict accounts with DS-Replication-Get-Changes privileges | High | Prevents unauthorized replication requests. |
| Privileged account monitoring | Alert on replication events executed by non-DC accounts | High | Detects compromised admin accounts. |
| Network monitoring | Monitor RPC replication traffic from non-DC hosts | Medium | Helps identify suspicious replication activity. |
| Least privilege | Limit domain admin membership | High | Reduces attack surface for credential dumping. |
| Security auditing | Enable directory service auditing | High | Provides visibility into replication operations. |