T1003.006 Google Chronicle · YARA-L

Detect DCSync in Google Chronicle

Adversaries abuse the Windows Directory Replication Service (DRSUAPI) API to simulate replication from a domain controller and extract password data without direct access to the NTDS.dit file. Members of Administrators, Domain Admins, or Enterprise Admins groups can call IDL_DRSGetNCChanges to pull NTLM hashes and historical hashes for accounts including krbtgt. Mimikatz implements this as 'lsadump::dcsync'. Used by Mimikatz, Cobalt Strike, Earth Lusca, Mustang Panda, Storm-0501, and LAPSUS$. Enables Golden Ticket creation via krbtgt hash extraction.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1003 OS Credential Dumping
Sub-technique
T1003.006 DCSync
Canonical reference
https://attack.mitre.org/techniques/T1003/006/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule dcsync_drsuapi_replication_abuse {
  meta:
    author = "Detection Engineering"
    description = "Detects DCSync attacks (T1003.006) by monitoring Windows Security Event 4662 for DRSUAPI DS-Replication-Get-Changes and DS-Replication-Get-Changes-All GUIDs on domain objects from non-machine accounts. Covers Mimikatz lsadump::dcsync, Cobalt Strike dcsync, and custom DRSUAPI tooling."
    severity = "CRITICAL"
    priority = "HIGH"
    mitre_attack_tactic = "TA0006 - Credential Access"
    mitre_attack_technique = "T1003.006 - OS Credential Dumping: DCSync"
    false_positives = "Azure AD Connect, AD FS, identity sync tools with replication rights"
    version = "1.0"

  events:
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.metadata.product_name = "Microsoft-Windows-Security-Auditing"
    $e.metadata.product_event_type = "4662"
    (
      $e.target.resource.attribute.labels["Object Type"] = "domainDNS"
      or $e.target.resource.attribute.labels["Object Type"] = "domain"
    )
    (
      $e.target.resource.attribute.labels["Properties"] = /1131f6aa-9c07-11d1-f79f-00c04fc2dcd2/ nocase
      or $e.target.resource.attribute.labels["Properties"] = /1131f6ad-9c07-11d1-f79f-00c04fc2dcd2/ nocase
      or $e.target.resource.attribute.labels["Access Mask"] = "0x100"
    )
    not $e.principal.user.userid = /\$$/ nocase

  condition:
    $e
}
critical severity high confidence

Google Chronicle YARA-L 2.0 rule that monitors UDM USER_RESOURCE_ACCESS events sourced from Microsoft-Windows-Security-Auditing for Event ID 4662 containing DRSUAPI replication right GUIDs. Targets domain and domainDNS object types, excludes machine accounts via principal.user.userid suffix matching, and fires on either DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, or 0x100 access mask.

Data Sources

Windows Security Event Log ingested via Chronicle Forwarder (Windows Event Log collection)Google Cloud Chronicle Ingestion API with Windows Security audit events

Required Tables

UDM Events (USER_RESOURCE_ACCESS type, Microsoft-Windows-Security-Auditing product)

False Positives & Tuning

  • Azure Active Directory Connect and AAD Sync service accounts performing hybrid identity synchronization — these accounts have DS-Replication-Get-Changes rights and trigger Event 4662 on a regular schedule
  • Active Directory Rights Management Services (AD RMS) or Certificate Services components that enumerate directory information using accounts with replication rights delegated during installation
  • Enterprise SIEM or UEBA platforms (Splunk UBA, Microsoft Sentinel UEBA, Exabeam) that perform Active Directory enrichment using service accounts with read-access replication permissions
Download portable Sigma rule (.yml)

Other platforms for T1003.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DCSync via Mimikatz lsadump::dcsync (krbtgt)

    Expected signal: Security EventID 4662 on DC: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All access from the running user's account. Sysmon EventID 1 on workstation: process creation for mimikatz.exe with lsadump::dcsync in CommandLine. Network traffic on DRSUAPI RPC ports from workstation to DC.

  2. Test 2DCSync via Impacket secretsdump (Remote)

    Expected signal: Security EventID 4662 on DC with DS-Replication-Get-Changes-All access from the provided account. Network connection from attacker IP to DC on port 445 and DRSUAPI RPC ports. SMB authentication events (EventID 4624) on DC from attacker IP.

  3. Test 3Check Account for Replication Rights (Reconnaissance)

    Expected signal: PowerShell ScriptBlock Log EventID 4104 with Get-ADDomain and Get-Acl commands. Security EventID 4662 for domain object read access. Network connection to DC for LDAP query.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1003.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1003OS Credential Dumping

Related Sub-techniques

T1003.001LSASS MemoryT1003.002Security Account ManagerT1003.003NTDST1003.004LSA SecretsT1003.005Cached Domain CredentialsT1003.007Proc FilesystemT1003.008/etc/passwd and /etc/shadow

Related Techniques

T1003OS Credential DumpingT1003.003NTDST1558.001Golden TicketT1550.003Pass the TicketT1078.002Domain AccountsT1098.001Additional Cloud Credentials

Same Tactic: Credential Access

Popular Detections