T1003.006 DCSync Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let DCSyncAuditEvents = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4662
| where ObjectType in~ ("domainDNS", "domain")
// DS-Replication-Get-Changes (1131f6aa) and DS-Replication-Get-Changes-All (1131f6ad)
| where Properties has "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"
    or Properties has "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"
    or AccessMask == "0x100"
// Exclude machine accounts (DCs replicate normally)
| where not(SubjectUserName endswith "$")
// Exclude known sync accounts (e.g., Azure AD Connect)
| project TimeGenerated, Computer, SubjectUserName, SubjectDomainName,
          ObjectName, AccessMask, Properties;
let DCSyncTooling = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (
    "lsadump::dcsync", "dcsync", "DCSync",
    "drsuapi", "GetNCChanges", "IDL_DRSGetNCChanges"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
union DCSyncAuditEvents, DCSyncTooling
| sort by TimeGenerated desc, Timestamp desc

critical severity high confidence

Data Sources

Active Directory: Active Directory Object Access Process: Process Creation Windows Security Event Log

Required Tables

SecurityEvent DeviceProcessEvents

False Positives

Azure AD Connect and other legitimate directory synchronization services that use DRSUAPI (configure an explicit exclusion for the sync account)
Active Directory replication between domain controllers — machine accounts (ending in $) are excluded but verify the exclusion is complete
Privileged Identity Management (PIM) tooling that reads directory data via replication APIs
Directory Services administrative tools run by authorized AD administrators during maintenance

Splunk

spl

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4662
  (Object_Type="domainDNS" OR Object_Type="domain")
  (Properties="*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*" OR Properties="*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*" OR Access_Mask="0x100")
  NOT Subject_Account_Name="*$"
| eval ReplicationRight=case(
    match(Properties, "1131f6aa"), "DS-Replication-Get-Changes",
    match(Properties, "1131f6ad"), "DS-Replication-Get-Changes-All",
    Access_Mask="0x100", "Replication-Access-0x100",
    1==1, "Unknown"
  )
| table _time, host, Subject_Account_Name, Subject_Domain, Object_Name, Access_Mask, ReplicationRight
| sort - _time
| append
  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
   (CommandLine="*dcsync*" OR CommandLine="*lsadump::dcsync*" OR CommandLine="*GetNCChanges*")
  | table _time, host, Image, CommandLine, User]

critical severity high confidence

Data Sources

Active Directory: Active Directory Object Access Process: Process Creation Windows Security Event Log Sysmon Event ID 4662

Required Sourcetypes

WinEventLog:Security XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Azure AD Connect service account performing Password Hash Synchronization via DRSUAPI
Domain controller-to-domain controller replication (excluded via machine account filter)
SCCM or other management tools querying domain replication status
Authorized penetration testing with documented scope

Elastic Security (EQL)

eql

any where
  (
    event.code == "4662"
    and winlog.event_data.ObjectType in~ ("domainDNS", "domain")
    and (
      winlog.event_data.Properties like~ "*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*"
      or winlog.event_data.Properties like~ "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*"
      or winlog.event_data.AccessMask == "0x100"
    )
    and not winlog.event_data.SubjectUserName like~ "*$"
  )
  or
  (
    event.category == "process"
    and event.type == "start"
    and process.command_line like~ ("*lsadump::dcsync*", "*GetNCChanges*", "*IDL_DRSGetNCChanges*", "*drsuapi*")
  )

critical severity high confidence

Data Sources

Windows Security Audit Log (Event ID 4662) Sysmon Process Create (Event ID 1) Elastic Agent Windows integration Winlogbeat

Required Tables

logs-windows.security* logs-system.security* winlogbeat-* .ds-logs-endpoint.events.process*

False Positives

Azure AD Connect sync accounts (commonly named MSOL_* or AZUREADSSOACC*) performing legitimate scheduled directory synchronization — these accounts require DS-Replication-Get-Changes permissions and will fire on Event 4662 during normal sync cycles
Active Directory Federation Services (AD FS) or third-party identity providers (Okta AD agent, Ping Identity) configured with replication rights for attribute retrieval and hybrid identity synchronization
Security or backup tools such as Netwrix Auditor, Varonis, or Quest Change Auditor that actively monitor or snapshot Active Directory state using accounts granted replication permissions

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  username AS subject_account,
  "Account Domain" AS subject_domain,
  "Object Name" AS object_name,
  "Object Type" AS object_type,
  "Properties" AS properties,
  "Access Mask" AS access_mask,
  CASE
    WHEN "Properties" ILIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' THEN 'DS-Replication-Get-Changes'
    WHEN "Properties" ILIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' THEN 'DS-Replication-Get-Changes-All'
    ELSE 'Replication-Access-0x100'
  END AS replication_right
FROM events
WHERE
  LOGSOURCETYPEID = 12
  AND "EventID" = '4662'
  AND (
    "Object Type" ILIKE 'domainDNS'
    OR "Object Type" ILIKE 'domain'
  )
  AND (
    "Properties" ILIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%'
    OR "Properties" ILIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%'
    OR "Access Mask" = '0x100'
  )
  AND username NOT LIKE '%$'
  AND starttime > CURRENT_TIMESTAMP - 86400000
ORDER BY starttime DESC
LIMIT 1000

critical severity high confidence

Data Sources

Microsoft Windows Security Event Log (LOGSOURCETYPEID=12) Microsoft Windows Sysmon (LOGSOURCETYPEID=396)

Required Tables

events

False Positives

Azure AD Connect or Microsoft Directory Synchronization service accounts performing scheduled replication cycles — these will generate Event 4662 with the replication GUIDs on a predictable schedule aligned with sync intervals
On-premises Active Directory replication health monitoring tools that use service accounts with DS-Replication-Get-Changes rights to validate replication topology and detect replication failures
Privileged access management (PAM) solutions that perform just-in-time group membership checks or access reviews against domain objects using delegated replication permissions

Sumo Logic CSE

sql

_sourceCategory=windows/security EventCode=4662
| where Object_Type="domainDNS" OR Object_Type="domain"
| where (Properties matches "*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*"
    OR Properties matches "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*"
    OR Access_Mask="0x100")
| where !(Subject_Account_Name matches "*$")
| if (Properties matches "*1131f6aa*", "DS-Replication-Get-Changes",
     if (Properties matches "*1131f6ad*", "DS-Replication-Get-Changes-All",
         "Replication-Access-0x100")) as ReplicationRight
| fields _messageTime, _sourceHost, Subject_Account_Name, Subject_Domain_Name, Object_Name, Access_Mask, ReplicationRight
| sort by _messageTime desc

critical severity high confidence

Data Sources

Windows Security Event Log via Sumo Logic Installed Collector or Windows Event Collector (WEC) Sumo Logic Cloud-to-Cloud Microsoft Windows Event Log source

Required Tables

_sourceCategory=windows/security

False Positives

Azure AD Connect sync accounts (MSOL_*, AZUREADSSOACC*) performing scheduled directory synchronization — add these known accounts with a NOT clause on Subject_Account_Name to suppress recurring alerts
Okta, Ping Identity, or similar identity provider agents that connect to on-premises Active Directory for user provisioning or attribute sync using accounts with delegated replication rights
Custom compliance or audit scripts run by domain administrators that query replication metadata using repadmin.exe or LDAP with accounts that have been granted DS-Replication-Get-Changes

Google Chronicle / SecOps

yaral

rule dcsync_drsuapi_replication_abuse {
  meta:
    author = "Detection Engineering"
    description = "Detects DCSync attacks (T1003.006) by monitoring Windows Security Event 4662 for DRSUAPI DS-Replication-Get-Changes and DS-Replication-Get-Changes-All GUIDs on domain objects from non-machine accounts. Covers Mimikatz lsadump::dcsync, Cobalt Strike dcsync, and custom DRSUAPI tooling."
    severity = "CRITICAL"
    priority = "HIGH"
    mitre_attack_tactic = "TA0006 - Credential Access"
    mitre_attack_technique = "T1003.006 - OS Credential Dumping: DCSync"
    false_positives = "Azure AD Connect, AD FS, identity sync tools with replication rights"
    version = "1.0"

  events:
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.metadata.product_name = "Microsoft-Windows-Security-Auditing"
    $e.metadata.product_event_type = "4662"
    (
      $e.target.resource.attribute.labels["Object Type"] = "domainDNS"
      or $e.target.resource.attribute.labels["Object Type"] = "domain"
    )
    (
      $e.target.resource.attribute.labels["Properties"] = /1131f6aa-9c07-11d1-f79f-00c04fc2dcd2/ nocase
      or $e.target.resource.attribute.labels["Properties"] = /1131f6ad-9c07-11d1-f79f-00c04fc2dcd2/ nocase
      or $e.target.resource.attribute.labels["Access Mask"] = "0x100"
    )
    not $e.principal.user.userid = /\$$/ nocase

  condition:
    $e
}

critical severity high confidence

Data Sources

Windows Security Event Log ingested via Chronicle Forwarder (Windows Event Log collection) Google Cloud Chronicle Ingestion API with Windows Security audit events

Required Tables

UDM Events (USER_RESOURCE_ACCESS type, Microsoft-Windows-Security-Auditing product)

False Positives

Azure Active Directory Connect and AAD Sync service accounts performing hybrid identity synchronization — these accounts have DS-Replication-Get-Changes rights and trigger Event 4662 on a regular schedule
Active Directory Rights Management Services (AD RMS) or Certificate Services components that enumerate directory information using accounts with replication rights delegated during installation
Enterprise SIEM or UEBA platforms (Splunk UBA, Microsoft Sentinel UEBA, Exabeam) that perform Active Directory enrichment using service accounts with read-access replication permissions

CrowdStrike LogScale (CQL)

cql

#event_simpleName = ProcessRollup2
| regex("(?i)(lsadump::dcsync|dcsync|GetNCChanges|IDL_DRSGetNCChanges|drsuapi)", field=CommandLine)
| table([ContextTimeStamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, SHA256HashData])
| sort(field=ContextTimeStamp, order=desc)

critical severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Detection (ProcessRollup2 events via Falcon sensor telemetry)

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Authorized red team or penetration testing engagements using Mimikatz or Cobalt Strike against in-scope domain controllers — these should be preceded by a change management record; correlate against the authorized test window
Security researchers or detection engineers running Atomic Red Team tests (T1003.006) on dedicated lab hosts to validate detection coverage — these will produce identical process telemetry
Domain administrators using repadmin.exe with verbose flags during replication troubleshooting may produce logs referencing GetNCChanges in diagnostic output written to child processes

DCSync

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections