Skip to content
Threat Feed
medium advisory

Potential Credential Access via DCSync

This rule identifies when a User Account starts the Active Directory Replication Process, potentially indicating a DCSync attack, which allows attackers to steal credential information compromising the entire domain.

The DCSync attack is a technique that allows an attacker to use the Windows Domain Controller’s API to simulate the replication process from a remote domain controller. This enables the attacker to compromise critical credential material, such as Kerberos krbtgt keys, which can then be used for ticket creation and forgery. This attack requires specific privileges (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), typically granted to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. This rule focuses on detecting the initiation of the Active Directory replication process by user accounts, which could indicate a DCSync attack. The rule specifically monitors for Event ID 4662, filtering out computer accounts and Azure AD Connect MSOL accounts to reduce false positives.

Attack Chain

  1. An attacker gains initial access to a system with a privileged account (e.g., Domain Admin).
  2. The attacker uses the privileged account to grant an attacker-controlled object the right to DCsync/Replicate.
  3. The attacker initiates an Active Directory replication process using the granted rights.
  4. Windows generates Event ID 4662 (Operation was performed on an Active Directory object) with Access Mask 0x100 (Control Access).
  5. The event properties include DS-Replication-Get-Changes or DS-Replication-Get-Changes-All or DS-Replication-Get-Changes-In-Filtered-Set.
  6. The attacker extracts sensitive information such as password hashes.
  7. The attacker forges Kerberos tickets using the compromised credentials.
  8. The attacker achieves domain dominance.

Impact

A successful DCSync attack can lead to the compromise of the entire Active Directory domain. Attackers can steal credential information, including the krbtgt key, allowing them to forge Kerberos tickets and gain unauthorized access to any resource within the domain. This can lead to data breaches, system outages, and significant financial and reputational damage.

Recommendation

  • Enable “Audit Directory Service Access” to generate the required event logs (Event ID 4662) for detection, as indicated in the setup instructions.
  • Deploy the provided Sigma rule Detect Potential DCSync Activity to identify suspicious Active Directory replication events in your SIEM.
  • Investigate any alerts generated by the Sigma rule by correlating security events 4662 and 4624 by Logon ID on the Domain Controller.
  • Review and restrict the privileges granted to accounts with DS-Replication-Get-Changes and DS-Replication-Get-Changes-All rights.

Detection coverage 2

Detect Potential DCSync Activity

medium

Detects potential DCSync activity by monitoring for specific Active Directory replication events (Event ID 4662) with the relevant access mask and properties.

sigma tactics: credential_access, privilege_escalation techniques: T1003.006, T1078.002 sources: windows, windows

DCSync via GUID

medium

Detects DCSync activity using the GUIDs associated with replication permissions.

sigma tactics: credential_access techniques: T1003.006 sources: windows, windows

Detection queries are kept inside the platform. Get full rules →