Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.
All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
Detect DCSync attacks where adversaries abuse Active Directory replication privileges to extract password hashes by monitoring for non-domain-controller accounts requesting directory replication via DsGetNCChanges.
cybersecurity
threat-hunting
threat-hunting
active-directory
dcsync
credential-theft
mitre-t1003-006
mimikatz
kerberos
1.0
mahipal
Apache-2.0
Application Protocol Command Analysis
Network Isolation
Network Traffic Analysis
Client-server Payload Profiling
Platform Monitoring
DE.CM-01
DE.AE-02
DE.AE-07
ID.RA-05
Detecting DCSync Attack in Active Directory
When to Use
When hunting for credential theft in Active Directory environments
After compromise of accounts with Replicating Directory Changes permissions
When investigating suspected use of Mimikatz or Impacket secretsdump
During incident response involving lateral movement with domain admin credentials
When auditing AD replication permissions as part of security hardening
Prerequisites
Windows Security Event Logs with Event ID 4662 (Object Access) enabled
Advanced Audit Policy: Audit Directory Service Access enabled
Domain Controller event forwarding to SIEM
Knowledge of legitimate domain controller hostnames and IPs
Directory Service Access auditing with SACL on domain object
Workflow
Identify Legitimate Replication Sources: Document all domain controllers in the environment by hostname, IP, and computer account. Only these should perform directory replication.
Enable Required Auditing: Configure Advanced Audit Policy to capture Event ID 4662 on domain controllers with specific GUID monitoring for replication rights.
Monitor Replication Rights Access: Track access to three critical GUIDs -- DS-Replication-Get-Changes (1131f6aa-9c07-11d1-f79f-00c04fc2dcd2), DS-Replication-Get-Changes-All (1131f6ad-9c07-11d1-f79f-00c04fc2dcd2), and DS-Replication-Get-Changes-In-Filtered-Set (89e95b76-444d-4c62-991a-0facbeda640c).
Detect Non-DC Replication Requests: Alert when any account NOT associated with a domain controller requests replication rights.
Correlate with Network Traffic: DCSync generates replication traffic (MS-DRSR/RPC) from the attacker's machine to the DC. Monitor for DrsGetNCChanges RPC calls from non-DC IP addresses.
Investigate Source Context: Examine the process, user account, and machine originating the replication request.
Check for Credential Abuse: After DCSync detection, audit for subsequent use of extracted hashes (pass-the-hash, golden ticket creation).
Key Concepts
Concept
Description
T1003.006
OS Credential Dumping: DCSync
DCSync
Mimicking domain controller replication to extract credentials
DsGetNCChanges
RPC function used to request AD replication data
DS-Replication-Get-Changes
AD permission required (GUID: 1131f6aa-...)
DS-Replication-Get-Changes-All
Permission including confidential attributes (GUID: 1131f6ad-...)
MS-DRSR
Microsoft Directory Replication Service Remote Protocol
KRBTGT Hash
Key target of DCSync enabling Golden Ticket attacks
Event ID 4662
Directory service object access audit event
Tools & Systems
Tool
Purpose
Mimikatz (lsadump::dcsync)
Primary DCSync attack tool
Impacket secretsdump.py
Python-based DCSync implementation
DSInternals
PowerShell module for AD replication
BloodHound
Map accounts with replication rights
Splunk / Elastic
SIEM correlation of 4662 events
Microsoft Defender for Identity
Native DCSync detection
CrowdStrike Falcon
EDR-based DCSync detection
Detection Queries
Splunk -- DCSync Detection via Event 4662
index=wineventlog EventCode=4662
| where Properties IN ("*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*",
"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*",
"*89e95b76-444d-4c62-991a-0facbeda640c*")
| where NOT match(SubjectUserName, ".*\\$$")
| where NOT SubjectUserName IN ("known_svc_account1", "known_svc_account2")
| stats count values(Properties) as ReplicationRights by SubjectUserName SubjectDomainName Computer
| where count > 0
| table SubjectUserName SubjectDomainName Computer count ReplicationRights
KQL -- Microsoft Sentinel DCSync Detection
SecurityEvent
| where EventID == 4662
| where Properties has "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"
or Properties has "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"
| where SubjectUserName !endswith "$"
| where SubjectUserName !in ("AzureADConnect", "MSOL_*")
| project TimeGenerated, SubjectUserName, SubjectDomainName, Computer, Properties
| sort by TimeGenerated desc
Sigma Rule -- DCSync Activity
title:DCSync Activity Detected - Non-DC Replication Requeststatus:stablelogsource:product:windowsservice:securitydetection:selection:EventID:4662Properties|contains:- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'filter_dc:SubjectUserName|endswith:'$'condition:selection and not filter_dclevel:criticaltags:- attack.credential_access- attack.t1003.006
Common Scenarios
Mimikatz DCSync: Attacker with Domain Admin privileges runs lsadump::dcsync /user:krbtgt to extract KRBTGT hash for Golden Ticket creation.
Impacket secretsdump: Remote DCSync via secretsdump.py domain/user:password@dc-ip extracting all domain hashes.
Delegated Replication Rights: Attacker grants themselves Replicating Directory Changes rights via ACL modification before performing DCSync.
Azure AD Connect Abuse: Compromising the Azure AD Connect service account which has legitimate replication rights.
DSInternals PowerShell: Using Get-ADReplAccount cmdlet to replicate specific account credentials.
mukul975
efca3ec611