Hunting for DCSync Attacks

When to Use

• When hunting for DCSync credential theft (MITRE ATT&CK T1003.006)
• After detecting Mimikatz or similar tools in the environment
• During incident response involving Active Directory compromise
• When monitoring for unauthorized domain replication requests
• During purple team exercises testing AD attack detection

Prerequisites

• Windows Security Event Log forwarding enabled (Event ID 4662)
• Audit Directory Service Access enabled via Group Policy
• Domain Computers SACL configured on Domain Object for machine account detection
• SIEM with Windows event data ingested (Splunk, Elastic, Sentinel)
• Knowledge of legitimate domain controller accounts and replication partners

Workflow

1. Enable Auditing: Ensure Audit Directory Service Access is enabled on domain controllers.
2. Collect Events: Gather Windows Event ID 4662 with AccessMask 0x100 (Control Access).
3. Filter Replication GUIDs: Search for DS-Replication-Get-Changes and DS-Replication-Get-Changes-All.
4. Identify Non-DC Sources: Flag events where SubjectUserName is not a domain controller machine account.
5. Correlate with Network: Cross-reference source IPs against known DC addresses.
6. Validate Findings: Exclude legitimate replication tools (Azure AD Connect, SCCM).
7. Respond: Disable compromised accounts, reset krbtgt, investigate lateral movement.

Key Concepts

Tools & Systems

Output Format

Hunt ID: TH-DCSYNC-[DATE]-[SEQ]
Technique: T1003.006
Domain Controller: [DC hostname]
Subject Account: [Account performing replication]
Source IP: [Non-DC IP address]
GUID Accessed: [Replication GUID]
Risk Level: [Critical/High/Medium/Low]
Recommended Action: [Disable account, reset krbtgt, investigate]