mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-13 22:54:53 +03:00
mukul975
48 lines
1.6 KiB
Markdown
48 lines
1.6 KiB
Markdown
# DCSync Attack Detection Hunt Template
|
|
|
|
## Hunt Metadata
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| Hunt ID | TH-DCSYNC-YYYY-MM-DD-NNN |
|
|
| Analyst | |
|
|
| Date | |
|
|
| Status | [ ] In Progress / [ ] Complete |
|
|
|
|
## Hypothesis
|
|
> An adversary with elevated AD privileges is performing DCSync to extract password hashes from Active Directory by replicating directory data from a non-domain-controller machine.
|
|
|
|
## Pre-Hunt Checklist
|
|
- [ ] Event ID 4662 audit policy enabled on all DCs
|
|
- [ ] SACL configured on domain root object
|
|
- [ ] Domain controller inventory documented
|
|
- [ ] Known service accounts with replication rights documented
|
|
- [ ] Azure AD Connect accounts identified (if hybrid)
|
|
|
|
## DCSync Detection Findings
|
|
|
|
| # | Timestamp | Subject Account | Source Machine | Target DC | Replication Rights | Severity |
|
|
|---|-----------|-----------------|----------------|-----------|-------------------|----------|
|
|
| 1 | | | | | | |
|
|
|
|
## Accounts with Replication Rights Audit
|
|
|
|
| Account | Type | Rights | Legitimate | Justification |
|
|
|---------|------|--------|-----------|---------------|
|
|
| | User/Service/Computer | Get-Changes / Get-Changes-All | Yes/No | |
|
|
|
|
## Post-DCSync Impact Assessment
|
|
|
|
| Check | Status | Notes |
|
|
|-------|--------|-------|
|
|
| KRBTGT hash potentially compromised | | |
|
|
| Domain Admin hashes extracted | | |
|
|
| Service account credentials at risk | | |
|
|
| Golden Ticket creation possible | | |
|
|
|
|
## Response Actions
|
|
1. **Disable**: [Compromised accounts]
|
|
2. **Reset**: [KRBTGT password -- twice, 12 hours apart]
|
|
3. **Revoke**: [Unauthorized replication rights]
|
|
4. **Investigate**: [Source machine forensics]
|
|
5. **Monitor**: [Subsequent credential abuse attempts]
|