OpenSkillIndex← back to search
claude-code

Asi hunting-for-dcsync-attacks

Detect DCSync attacks by analyzing Windows Event ID 4662 for unauthorized DS-Replication-Get-Changes requests from non-domain-controller accounts.

install
source · Clone the upstream repo
git clone https://github.com/plurigrid/asi
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/plurigrid/asi "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/asi/skills/hunting-for-dcsync-attacks" ~/.claude/skills/plurigrid-asi-hunting-for-dcsync-attacks && rm -rf "$T"
manifest: plugins/asi/skills/hunting-for-dcsync-attacks/SKILL.md
tags
#threat-hunting#dcsync#active-directory#credential-access#t1003.006#mimikatz#windows#dfir
source content

Hunting for DCSync Attacks

When to Use

  • When hunting for DCSync credential theft (MITRE ATT&CK T1003.006)
  • After detecting Mimikatz or similar tools in the environment
  • During incident response involving Active Directory compromise
  • When monitoring for unauthorized domain replication requests
  • During purple team exercises testing AD attack detection

Prerequisites

  • Windows Security Event Log forwarding enabled (Event ID 4662)
  • Audit Directory Service Access enabled via Group Policy
  • Domain Computers SACL configured on Domain Object for machine account detection
  • SIEM with Windows event data ingested (Splunk, Elastic, Sentinel)
  • Knowledge of legitimate domain controller accounts and replication partners

Workflow

  1. Enable Auditing: Ensure Audit Directory Service Access is enabled on domain controllers.
  2. Collect Events: Gather Windows Event ID 4662 with AccessMask 0x100 (Control Access).
  3. Filter Replication GUIDs: Search for DS-Replication-Get-Changes and DS-Replication-Get-Changes-All.
  4. Identify Non-DC Sources: Flag events where SubjectUserName is not a domain controller machine account.
  5. Correlate with Network: Cross-reference source IPs against known DC addresses.
  6. Validate Findings: Exclude legitimate replication tools (Azure AD Connect, SCCM).
  7. Respond: Disable compromised accounts, reset krbtgt, investigate lateral movement.

Key Concepts

ConceptDescription
DCSyncTechnique abusing AD replication protocol to extract password hashes
Event ID 4662Directory Service Access audit event
DS-Replication-Get-ChangesGUID 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
DS-Replication-Get-Changes-AllGUID 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
AccessMask 0x100Control Access right indicating extended rights verification
T1003.006OS Credential Dumping: DCSync

Tools & Systems

ToolPurpose
Windows Event ViewerDirect event log analysis
SplunkSIEM correlation of Event 4662
Elastic SecurityDetection rules for DCSync patterns
Mimikatz lsadump::dcsyncAttack tool used to perform DCSync
Impacket secretsdump.pyPython-based DCSync implementation
BloodHoundIdentify accounts with replication rights

Output Format

Hunt ID: TH-DCSYNC-[DATE]-[SEQ]
Technique: T1003.006
Domain Controller: [DC hostname]
Subject Account: [Account performing replication]
Source IP: [Non-DC IP address]
GUID Accessed: [Replication GUID]
Risk Level: [Critical/High/Medium/Low]
Recommended Action: [Disable account, reset krbtgt, investigate]