Technique Overview
DCSync is an Active Directory credential dumping technique (MITRE ATT&CK T1003.006) that abuses the Directory Replication Service (DRS) Remote Protocol. Rather than reading LSASS memory — which triggers most modern EDR solutions — the attacker impersonates a domain controller and requests that another DC replicate (i.e., send) password hashes directly.
The replication protocol is designed for legitimate DC-to-DC synchronisation. Any account granted the following extended rights can invoke it:
- Replicating Directory Changes (
DS-Replication-Get-Changes) - Replicating Directory Changes All (
DS-Replication-Get-Changes-All)
By default, Domain Admins, Domain Controllers, and Enterprise Admins have these rights. The attack surface expands whenever these rights are granted to service accounts, helpdesk roles, or backup agents — an alarmingly common misconfiguration.
Common tooling:
Mimikatz:lsadump::dcsync /domain:corp.local /user:krbtgtImpacket secretsdump.py:secretsdump.py domain/user@DC-IPCobalt Strike: DCSync module within the post-exploitation frameworkDSInternalsPowerShell module
Why it matters: DCSync retrieves NTLM hashes for any account — including krbtgt (enabling Golden Ticket attacks) and privileged service accounts. It requires no admin access to the DC host itself, just a network path and appropriate directory rights.
Detection Strategy
DCSync generates a distinct pattern of Windows Security events on the targeted domain controller.
Event IDs to Monitor
| Event ID | Description |
|---|---|
| 4662 | An operation was performed on an object — directory replication access |
| 4928 | An Active Directory replica source naming context was established |
| 4929 | An Active Directory replica source naming context was removed |
The critical event is 4662 with specific properties:
- Object Type:
{19195a5b-6da0-11d0-afd3-00c04fd930c9}(domainDNS) - Access: includes
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2(DS-Replication-Get-Changes) or1131f6ab-9c07-11d1-f79f-00c04fc2dcd2(DS-Replication-Get-Changes-All) - Subject Account Name: NOT a domain controller machine account (DC accounts legitimately replicate; workstations and user accounts should not)
Sigma Rule
title: Potential DCSync Attack - Non-DC Account Requesting Directory Replication
id: f8ee2ae5-8d3a-4e27-b3f2-7e3b9e45c321
status: production
description: Detects DCSync attack — a non-domain controller account requesting AD replication rights via Event ID 4662
references:
- https://attack.mitre.org/techniques/T1003/006/
- https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts
author: SOC Analyst Hub
date: 2026-06-02
tags:
- attack.credential_access
- attack.t1003.006
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
Properties|contains:
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' # DS-Replication-Get-Changes
- '1131f6ab-9c07-11d1-f79f-00c04fc2dcd2' # DS-Replication-Get-Changes-All
- '89e95b76-444d-4c62-991a-0facbeda640c' # DS-Replication-Get-Changes-In-Filtered-Set
filter_legitimate_dc:
SubjectUserName|endswith: '$' # Filter out machine accounts (DCs use MACHINE$ format)
condition: selection and not filter_legitimate_dc
falsepositives:
- Azure AD Connect / AD Sync accounts (add specific account names to exclusion list)
- Privileged backup agents that legitimately replicate AD data
- Third-party identity management tools
level: high
Important: Enable Directory Service Access auditing (
Audit Directory Service Access) on your domain controllers. Without it, Event ID 4662 will not be generated.
Microsoft Sentinel (KQL)
SecurityEvent
| where EventID == 4662
| where Properties has_any (
"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2", // DS-Replication-Get-Changes
"1131f6ab-9c07-11d1-f79f-00c04fc2dcd2", // DS-Replication-Get-Changes-All
"89e95b76-444d-4c62-991a-0facbeda640c" // DS-Replication-Get-Changes-In-Filtered-Set
)
| where SubjectUserName !endswith "$" // Exclude machine accounts
| extend
AccountName = SubjectUserName,
AccountDomain = SubjectDomainName,
DCHostName = Computer
| project TimeGenerated, DCHostName, AccountDomain, AccountName, Properties, IpAddress
| order by TimeGenerated desc
Splunk SPL
index=wineventlog EventCode=4662
Properties="*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*"
OR Properties="*1131f6ab-9c07-11d1-f79f-00c04fc2dcd2*"
| where NOT match(SubjectUserName, "\$$")
| table _time, host, SubjectUserName, SubjectDomainName, IpAddress, Properties
| sort - _time
Reducing False Positives
Several legitimate processes generate 4662 events with replication access:
Azure AD Connect (AAD Sync): The sync service account legitimately reads password hashes for password writeback. Add the specific service account name to your exclusion filter.
Privileged Access Workstations running ADDS management tools: Administrative consoles that enumerate AD attributes can generate related events. Filter by known PAW IP ranges.
Backup solutions: Veeam, CommVault, and similar tools may use accounts with replication rights. Maintain a documented allowlist.
The rule above will generate noise in environments with AD Connect until the allowlist is tuned. Start with an alert-level rule and suppress on known service accounts before promoting to an automated response.
Network-Level Detection
DCSync operates over the MS-DRSR (Directory Replication Service Remote) protocol — an RPC-based protocol running on port 135 and dynamic high ports. You can detect non-DC hosts initiating replication:
- Alert on RPC calls from non-DC IP addresses to DC IPs where the interface UUID matches MS-DRSR (
{e3514235-4b06-11d1-ab04-00c04fc2dcd2}) - NDR and Zeek both support MS-DRSR protocol analysis
Threat Hunting Query
To proactively hunt for accounts with DCSync-capable permissions (potential misconfiguration):
# List accounts with Replication Directory Changes rights (potential DCSync candidates)
Import-Module ActiveDirectory
$domainDN = (Get-ADDomain).DistinguishedName
$acl = Get-Acl -Path "AD:\$domainDN"
$acl.Access | Where-Object {
$_.ObjectType -in @(
[GUID]'1131f6aa-9c07-11d1-f79f-00c04fc2dcd2', # DS-Replication-Get-Changes
[GUID]'1131f6ab-9c07-11d1-f79f-00c04fc2dcd2' # DS-Replication-Get-Changes-All
) -and
$_.IdentityReference -notmatch 'Domain Controllers|Enterprise Domain Controllers|Administrators|SYSTEM'
} | Select-Object IdentityReference, ActiveDirectoryRights, ObjectType
Any account returned by this query that you didn’t explicitly grant replication rights to should be investigated and likely remediated.
Remediation
- Audit and remove unnecessary replication rights using the hunt query above — report to Active Directory team for remediation
- Protect krbtgt: Reset the krbtgt password twice (required due to replication) if DCSync is confirmed in your environment
- Monitor AD sync accounts — if Azure AD Connect accounts are compromised, an attacker can exfiltrate all password hashes silently
- Enable Protected Users group membership for privileged accounts — members cannot have their hashes extracted by DCSync even if rights exist