creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/hunting-for-dcsync-attacks/references/api-reference.md
T

101 lines
3.4 KiB
Markdown
Raw Blame History

# DCSync Attack Detection Reference
## Windows Event ID 4662
Directory Service Access event logged when an object in Active Directory is accessed.
### Required Group Policy Configuration
```
Computer Configuration > Policies > Windows Settings > Security Settings >
Advanced Audit Policy Configuration > Audit Policies > DS Access >
Audit Directory Service Access: Success, Failure
```
### Required SACL Configuration
Add "Domain Computers" to the SACL on the domain root object to detect machine account DCSync.
## Key Detection GUIDs
| GUID | Right | Description |
|------|-------|-------------|
| 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 | DS-Replication-Get-Changes | Read replication changes |
| 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 | DS-Replication-Get-Changes-All | Read all replication changes (includes secrets) |
| 89e95b76-444d-4c62-991a-0facbeda640c | DS-Replication-Get-Changes-In-Filtered-Set | Filtered replication set |
### AccessMask Value
`0x100` (256 decimal) = Control Access - logged when access is allowed following extended rights verification.
## Splunk Detection Query
```spl
index=wineventlog EventCode=4662
| where AccessMask="0x100"
| where match(Properties, "(?i)1131f6ad-9c07-11d1-f79f-00c04fc2dcd2") OR match(Properties, "(?i)1131f6aa-9c07-11d1-f79f-00c04fc2dcd2")
| where NOT match(SubjectUserName, "\\$$")
| eval is_dc=if(match(SubjectUserName, "(?i)(DC|AZUREADCONNECT)"), "legitimate", "suspicious")
| where is_dc="suspicious"
| stats count by SubjectUserName, SubjectDomainName, Computer, Properties
```
## Elastic KQL Detection
```
event.code: "4662" AND winlog.event_data.AccessMask: "0x100" AND
winlog.event_data.Properties: (*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* OR *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*)
AND NOT winlog.event_data.SubjectUserName: *$
```
## PowerShell Detection
```powershell
# Query Event 4662 for replication GUID access
Get-WinEvent -FilterHashtable @{
LogName='Security'; Id=4662
} | Where-Object {
$_.Properties[8].Value -match '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' -and
$_.Properties[1].Value -notmatch '\$$'
} | Select-Object TimeCreated,
@{N='Account';E={$_.Properties[1].Value}},
@{N='Domain';E={$_.Properties[2].Value}}
# List accounts with replication rights
Import-Module ActiveDirectory
(Get-Acl "AD:\DC=domain,DC=local").Access |
Where-Object { $_.ObjectType -in @(
'1131f6ad-9c07-11d1-f79f-00c04fc2dcd2',
'1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
)} | Select-Object IdentityReference, ActiveDirectoryRights
```
## Attack Tools (for Detection Signatures)
```bash
# Mimikatz DCSync
lsadump::dcsync /domain:corp.local /user:krbtgt
# Impacket secretsdump.py
secretsdump.py -just-dc corp.local/admin:Password@dc01.corp.local
# Impacket - specific user
secretsdump.py -just-dc-user krbtgt corp.local/admin:Password@dc01.corp.local
```
## MITRE ATT&CK Mapping
- **Technique**: T1003.006 - OS Credential Dumping: DCSync
- **Tactic**: Credential Access
- **Platforms**: Windows
- **Data Sources**: Active Directory: Active Directory Object Access, Network Traffic
## Response Checklist
1. Disable compromised account immediately
2. Reset krbtgt password twice (12-hour interval between resets)
3. Revoke all Kerberos tickets (purge ticket cache)
4. Audit all accounts with replication rights on domain object
5. Review source host for additional compromise indicators
6. Check for persistence mechanisms (scheduled tasks, services, WMI)
Reference in New Issue View Git Blame Copy Permalink