creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/detecting-dcsync-attack-in-active-directory/assets/template.md
T

1.6 KiB
Raw Blame History

DCSync Attack Detection Hunt Template

Hunt Metadata

Field Value
Hunt ID TH-DCSYNC-YYYY-MM-DD-NNN
Analyst
Date
Status [ ] In Progress / [ ] Complete

Hypothesis

An adversary with elevated AD privileges is performing DCSync to extract password hashes from Active Directory by replicating directory data from a non-domain-controller machine.

Pre-Hunt Checklist

  • Event ID 4662 audit policy enabled on all DCs
  • SACL configured on domain root object
  • Domain controller inventory documented
  • Known service accounts with replication rights documented
  • Azure AD Connect accounts identified (if hybrid)

DCSync Detection Findings

# Timestamp Subject Account Source Machine Target DC Replication Rights Severity
1

Accounts with Replication Rights Audit

Account Type Rights Legitimate Justification
User/Service/Computer Get-Changes / Get-Changes-All Yes/No

Post-DCSync Impact Assessment

Check Status Notes
KRBTGT hash potentially compromised
Domain Admin hashes extracted
Service account credentials at risk
Golden Ticket creation possible

Response Actions

  1. Disable: [Compromised accounts]
  2. Reset: [KRBTGT password -- twice, 12 hours apart]
  3. Revoke: [Unauthorized replication rights]
  4. Investigate: [Source machine forensics]
  5. Monitor: [Subsequent credential abuse attempts]
Reference in New Issue View Git Blame Copy Permalink