creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
ccce7d4e068efecc2f98c385c8e5c01d969fc9bc
Anthropic-Cybersecurity-Skills/skills/detecting-dcsync-attack-in-active-directory/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.0 KiB
Raw Blame History

API Reference: Detecting DCSync Attack in Active Directory

DCSync Replication GUIDs

GUID Right
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 DS-Replication-Get-Changes
1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 DS-Replication-Get-Changes-All
89e95b76-444d-4c62-991a-0facbeda640c DS-Replication-Get-Changes-In-Filtered-Set

Windows Event ID 4662 Fields

<EventID>4662</EventID>
<Data Name="SubjectUserName">attacker</Data>
<Data Name="SubjectDomainName">CORP</Data>
<Data Name="Properties">{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}</Data>
<Data Name="ObjectName">DC=corp,DC=local</Data>

python-evtx Usage

import Evtx.Evtx as evtx
with evtx.Evtx("Security.evtx") as log:
    for record in log.records():
        xml = record.xml()
        # Filter for EventID 4662 with replication GUIDs

Splunk SPL Detection Query

index=wineventlog EventCode=4662
| where Properties IN ("*1131f6aa*", "*1131f6ad*", "*89e95b76*")
| where NOT match(SubjectUserName, ".*\\$$")
| stats count values(Properties) by SubjectUserName Computer

KQL (Microsoft Sentinel)

SecurityEvent
| where EventID == 4662
| where Properties has "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"
| where SubjectUserName !endswith "$"
| project TimeGenerated, SubjectUserName, Computer, Properties

PowerShell - Audit Replication Permissions

$domain = (Get-ADDomain).DistinguishedName
$acl = Get-Acl "AD:\$domain"
$acl.Access | Where-Object {
    $_.ObjectType -in @(
        '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2',
        '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
    )
} | Select IdentityReference, ObjectType

Attack Tools Reference

Tool Command
Mimikatz lsadump::dcsync /user:krbtgt /domain:corp.local
Impacket secretsdump.py corp/admin:pass@dc-ip
DSInternals Get-ADReplAccount -SamAccountName krbtgt

CLI Usage

python agent.py --security-log Security.evtx --dc-accounts known_dcs.txt
python agent.py --generate-sigma
python agent.py --check-perms
Reference in New Issue View Git Blame Copy Permalink