Technique Overview

DCSync is an Active Directory credential dumping technique (MITRE ATT&CK T1003.006) that abuses the Directory Replication Service (DRS) Remote Protocol. Rather than reading LSASS memory — which triggers most modern EDR solutions — the attacker impersonates a domain controller and requests that another DC replicate (i.e., send) password hashes directly.

The replication protocol is designed for legitimate DC-to-DC synchronisation. Any account granted the following extended rights can invoke it:

  • Replicating Directory Changes (DS-Replication-Get-Changes)
  • Replicating Directory Changes All (DS-Replication-Get-Changes-All)

By default, Domain Admins, Domain Controllers, and Enterprise Admins have these rights. The attack surface expands whenever these rights are granted to service accounts, helpdesk roles, or backup agents — an alarmingly common misconfiguration.

Common tooling:

  • Mimikatz: lsadump::dcsync /domain:corp.local /user:krbtgt
  • Impacket secretsdump.py: secretsdump.py domain/user@DC-IP
  • Cobalt Strike: DCSync module within the post-exploitation framework
  • DSInternals PowerShell module

Why it matters: DCSync retrieves NTLM hashes for any account — including krbtgt (enabling Golden Ticket attacks) and privileged service accounts. It requires no admin access to the DC host itself, just a network path and appropriate directory rights.

Detection Strategy

DCSync generates a distinct pattern of Windows Security events on the targeted domain controller.

Event IDs to Monitor

Event IDDescription
4662An operation was performed on an object — directory replication access
4928An Active Directory replica source naming context was established
4929An Active Directory replica source naming context was removed

The critical event is 4662 with specific properties:

  • Object Type: {19195a5b-6da0-11d0-afd3-00c04fd930c9} (domainDNS)
  • Access: includes 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes) or 1131f6ab-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes-All)
  • Subject Account Name: NOT a domain controller machine account (DC accounts legitimately replicate; workstations and user accounts should not)

Sigma Rule

title: Potential DCSync Attack - Non-DC Account Requesting Directory Replication
id: f8ee2ae5-8d3a-4e27-b3f2-7e3b9e45c321
status: production
description: Detects DCSync attack — a non-domain controller account requesting AD replication rights via Event ID 4662
references:
  - https://attack.mitre.org/techniques/T1003/006/
  - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts
author: SOC Analyst Hub
date: 2026-06-02
tags:
  - attack.credential_access
  - attack.t1003.006
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4662
    Properties|contains:
      - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'  # DS-Replication-Get-Changes
      - '1131f6ab-9c07-11d1-f79f-00c04fc2dcd2'  # DS-Replication-Get-Changes-All
      - '89e95b76-444d-4c62-991a-0facbeda640c'  # DS-Replication-Get-Changes-In-Filtered-Set
  filter_legitimate_dc:
    SubjectUserName|endswith: '$'  # Filter out machine accounts (DCs use MACHINE$ format)
  condition: selection and not filter_legitimate_dc
falsepositives:
  - Azure AD Connect / AD Sync accounts (add specific account names to exclusion list)
  - Privileged backup agents that legitimately replicate AD data
  - Third-party identity management tools
level: high

Important: Enable Directory Service Access auditing (Audit Directory Service Access) on your domain controllers. Without it, Event ID 4662 will not be generated.

Microsoft Sentinel (KQL)

SecurityEvent
| where EventID == 4662
| where Properties has_any (
    "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2",   // DS-Replication-Get-Changes
    "1131f6ab-9c07-11d1-f79f-00c04fc2dcd2",   // DS-Replication-Get-Changes-All
    "89e95b76-444d-4c62-991a-0facbeda640c"    // DS-Replication-Get-Changes-In-Filtered-Set
)
| where SubjectUserName !endswith "$"          // Exclude machine accounts
| extend
    AccountName = SubjectUserName,
    AccountDomain = SubjectDomainName,
    DCHostName = Computer
| project TimeGenerated, DCHostName, AccountDomain, AccountName, Properties, IpAddress
| order by TimeGenerated desc

Splunk SPL

index=wineventlog EventCode=4662
  Properties="*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*"
  OR Properties="*1131f6ab-9c07-11d1-f79f-00c04fc2dcd2*"
| where NOT match(SubjectUserName, "\$$")
| table _time, host, SubjectUserName, SubjectDomainName, IpAddress, Properties
| sort - _time

Reducing False Positives

Several legitimate processes generate 4662 events with replication access:

Azure AD Connect (AAD Sync): The sync service account legitimately reads password hashes for password writeback. Add the specific service account name to your exclusion filter.

Privileged Access Workstations running ADDS management tools: Administrative consoles that enumerate AD attributes can generate related events. Filter by known PAW IP ranges.

Backup solutions: Veeam, CommVault, and similar tools may use accounts with replication rights. Maintain a documented allowlist.

The rule above will generate noise in environments with AD Connect until the allowlist is tuned. Start with an alert-level rule and suppress on known service accounts before promoting to an automated response.

Network-Level Detection

DCSync operates over the MS-DRSR (Directory Replication Service Remote) protocol — an RPC-based protocol running on port 135 and dynamic high ports. You can detect non-DC hosts initiating replication:

  • Alert on RPC calls from non-DC IP addresses to DC IPs where the interface UUID matches MS-DRSR ({e3514235-4b06-11d1-ab04-00c04fc2dcd2})
  • NDR and Zeek both support MS-DRSR protocol analysis

Threat Hunting Query

To proactively hunt for accounts with DCSync-capable permissions (potential misconfiguration):

# List accounts with Replication Directory Changes rights (potential DCSync candidates)
Import-Module ActiveDirectory

$domainDN = (Get-ADDomain).DistinguishedName
$acl = Get-Acl -Path "AD:\$domainDN"

$acl.Access | Where-Object {
    $_.ObjectType -in @(
        [GUID]'1131f6aa-9c07-11d1-f79f-00c04fc2dcd2', # DS-Replication-Get-Changes
        [GUID]'1131f6ab-9c07-11d1-f79f-00c04fc2dcd2'  # DS-Replication-Get-Changes-All
    ) -and
    $_.IdentityReference -notmatch 'Domain Controllers|Enterprise Domain Controllers|Administrators|SYSTEM'
} | Select-Object IdentityReference, ActiveDirectoryRights, ObjectType

Any account returned by this query that you didn’t explicitly grant replication rights to should be investigated and likely remediated.

Remediation

  1. Audit and remove unnecessary replication rights using the hunt query above — report to Active Directory team for remediation
  2. Protect krbtgt: Reset the krbtgt password twice (required due to replication) if DCSync is confirmed in your environment
  3. Monitor AD sync accounts — if Azure AD Connect accounts are compromised, an attacker can exfiltrate all password hashes silently
  4. Enable Protected Users group membership for privileged accounts — members cannot have their hashes extracted by DCSync even if rights exist