Anthropic-Cybersecurity-Skills hunting-for-dcsync-attacks
Detect DCSync attacks by analyzing Windows Event ID 4662 for unauthorized DS-Replication-Get-Changes requests
install
source · Clone the upstream repo
git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/mukul975/Anthropic-Cybersecurity-Skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/hunting-for-dcsync-attacks" ~/.claude/skills/mukul975-anthropic-cybersecurity-skills-hunting-for-dcsync-attacks && rm -rf "$T"
manifest:
skills/hunting-for-dcsync-attacks/SKILL.mdsource content
Hunting for DCSync Attacks
When to Use
- When hunting for DCSync credential theft (MITRE ATT&CK T1003.006)
- After detecting Mimikatz or similar tools in the environment
- During incident response involving Active Directory compromise
- When monitoring for unauthorized domain replication requests
- During purple team exercises testing AD attack detection
Prerequisites
- Windows Security Event Log forwarding enabled (Event ID 4662)
- Audit Directory Service Access enabled via Group Policy
- Domain Computers SACL configured on Domain Object for machine account detection
- SIEM with Windows event data ingested (Splunk, Elastic, Sentinel)
- Knowledge of legitimate domain controller accounts and replication partners
Workflow
- Enable Auditing: Ensure Audit Directory Service Access is enabled on domain controllers.
- Collect Events: Gather Windows Event ID 4662 with AccessMask 0x100 (Control Access).
- Filter Replication GUIDs: Search for DS-Replication-Get-Changes and DS-Replication-Get-Changes-All.
- Identify Non-DC Sources: Flag events where SubjectUserName is not a domain controller machine account.
- Correlate with Network: Cross-reference source IPs against known DC addresses.
- Validate Findings: Exclude legitimate replication tools (Azure AD Connect, SCCM).
- Respond: Disable compromised accounts, reset krbtgt, investigate lateral movement.
Key Concepts
| Concept | Description |
|---|---|
| DCSync | Technique abusing AD replication protocol to extract password hashes |
| Event ID 4662 | Directory Service Access audit event |
| DS-Replication-Get-Changes | GUID 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 |
| DS-Replication-Get-Changes-All | GUID 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 |
| AccessMask 0x100 | Control Access right indicating extended rights verification |
| T1003.006 | OS Credential Dumping: DCSync |
Tools & Systems
| Tool | Purpose |
|---|---|
| Windows Event Viewer | Direct event log analysis |
| Splunk | SIEM correlation of Event 4662 |
| Elastic Security | Detection rules for DCSync patterns |
| Mimikatz lsadump::dcsync | Attack tool used to perform DCSync |
| Impacket secretsdump.py | Python-based DCSync implementation |
| BloodHound | Identify accounts with replication rights |
Output Format
Hunt ID: TH-DCSYNC-[DATE]-[SEQ] Technique: T1003.006 Domain Controller: [DC hostname] Subject Account: [Account performing replication] Source IP: [Non-DC IP address] GUID Accessed: [Replication GUID] Risk Level: [Critical/High/Medium/Low] Recommended Action: [Disable account, reset krbtgt, investigate]