creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/hunting-for-dcsync-attacks/references/api-reference.md
T

3.4 KiB
Raw Blame History

DCSync Attack Detection Reference

Windows Event ID 4662

Directory Service Access event logged when an object in Active Directory is accessed.

Required Group Policy Configuration

Computer Configuration > Policies > Windows Settings > Security Settings >
Advanced Audit Policy Configuration > Audit Policies > DS Access >
Audit Directory Service Access: Success, Failure

Required SACL Configuration

Add "Domain Computers" to the SACL on the domain root object to detect machine account DCSync.

Key Detection GUIDs

GUID Right Description
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 DS-Replication-Get-Changes Read replication changes
1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 DS-Replication-Get-Changes-All Read all replication changes (includes secrets)
89e95b76-444d-4c62-991a-0facbeda640c DS-Replication-Get-Changes-In-Filtered-Set Filtered replication set

AccessMask Value

0x100 (256 decimal) = Control Access - logged when access is allowed following extended rights verification.

Splunk Detection Query

index=wineventlog EventCode=4662
| where AccessMask="0x100"
| where match(Properties, "(?i)1131f6ad-9c07-11d1-f79f-00c04fc2dcd2") OR match(Properties, "(?i)1131f6aa-9c07-11d1-f79f-00c04fc2dcd2")
| where NOT match(SubjectUserName, "\\$$")
| eval is_dc=if(match(SubjectUserName, "(?i)(DC|AZUREADCONNECT)"), "legitimate", "suspicious")
| where is_dc="suspicious"
| stats count by SubjectUserName, SubjectDomainName, Computer, Properties

Elastic KQL Detection

event.code: "4662" AND winlog.event_data.AccessMask: "0x100" AND
winlog.event_data.Properties: (*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* OR *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*)
AND NOT winlog.event_data.SubjectUserName: *$

PowerShell Detection

# Query Event 4662 for replication GUID access
Get-WinEvent -FilterHashtable @{
    LogName='Security'; Id=4662
} | Where-Object {
    $_.Properties[8].Value -match '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' -and
    $_.Properties[1].Value -notmatch '\$$'
} | Select-Object TimeCreated,
    @{N='Account';E={$_.Properties[1].Value}},
    @{N='Domain';E={$_.Properties[2].Value}}

# List accounts with replication rights
Import-Module ActiveDirectory
(Get-Acl "AD:\DC=domain,DC=local").Access |
    Where-Object { $_.ObjectType -in @(
        '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2',
        '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
    )} | Select-Object IdentityReference, ActiveDirectoryRights

Attack Tools (for Detection Signatures)

# Mimikatz DCSync
lsadump::dcsync /domain:corp.local /user:krbtgt

# Impacket secretsdump.py
secretsdump.py -just-dc corp.local/admin:Password@dc01.corp.local

# Impacket - specific user
secretsdump.py -just-dc-user krbtgt corp.local/admin:Password@dc01.corp.local

MITRE ATT&CK Mapping

  • Technique: T1003.006 - OS Credential Dumping: DCSync
  • Tactic: Credential Access
  • Platforms: Windows
  • Data Sources: Active Directory: Active Directory Object Access, Network Traffic

Response Checklist

  1. Disable compromised account immediately
  2. Reset krbtgt password twice (12-hour interval between resets)
  3. Revoke all Kerberos tickets (purge ticket cache)
  4. Audit all accounts with replication rights on domain object
  5. Review source host for additional compromise indicators
  6. Check for persistence mechanisms (scheduled tasks, services, WMI)
Reference in New Issue View Git Blame Copy Permalink