T1003.006 Elastic Security · Elastic

Detect DCSync in Elastic Security

Adversaries abuse the Windows Directory Replication Service (DRSUAPI) API to simulate replication from a domain controller and extract password data without direct access to the NTDS.dit file. Members of Administrators, Domain Admins, or Enterprise Admins groups can call IDL_DRSGetNCChanges to pull NTLM hashes and historical hashes for accounts including krbtgt. Mimikatz implements this as 'lsadump::dcsync'. Used by Mimikatz, Cobalt Strike, Earth Lusca, Mustang Panda, Storm-0501, and LAPSUS$. Enables Golden Ticket creation via krbtgt hash extraction.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1003 OS Credential Dumping
Sub-technique
T1003.006 DCSync
Canonical reference
https://attack.mitre.org/techniques/T1003/006/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where
  (
    event.code == "4662"
    and winlog.event_data.ObjectType in~ ("domainDNS", "domain")
    and (
      winlog.event_data.Properties like~ "*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*"
      or winlog.event_data.Properties like~ "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*"
      or winlog.event_data.AccessMask == "0x100"
    )
    and not winlog.event_data.SubjectUserName like~ "*$"
  )
  or
  (
    event.category == "process"
    and event.type == "start"
    and process.command_line like~ ("*lsadump::dcsync*", "*GetNCChanges*", "*IDL_DRSGetNCChanges*", "*drsuapi*")
  )
critical severity high confidence

Detects DCSync attacks by monitoring Windows Security Event 4662 for DRSUAPI replication GUIDs (DS-Replication-Get-Changes 1131f6aa and DS-Replication-Get-Changes-All 1131f6ad) on domainDNS or domain objects from non-machine accounts, and process creation events containing known DCSync tooling keywords including Mimikatz lsadump::dcsync, GetNCChanges, IDL_DRSGetNCChanges, and drsuapi.

Data Sources

Windows Security Audit Log (Event ID 4662)Sysmon Process Create (Event ID 1)Elastic Agent Windows integrationWinlogbeat

Required Tables

logs-windows.security*logs-system.security*winlogbeat-*.ds-logs-endpoint.events.process*

False Positives & Tuning

  • Azure AD Connect sync accounts (commonly named MSOL_* or AZUREADSSOACC*) performing legitimate scheduled directory synchronization — these accounts require DS-Replication-Get-Changes permissions and will fire on Event 4662 during normal sync cycles
  • Active Directory Federation Services (AD FS) or third-party identity providers (Okta AD agent, Ping Identity) configured with replication rights for attribute retrieval and hybrid identity synchronization
  • Security or backup tools such as Netwrix Auditor, Varonis, or Quest Change Auditor that actively monitor or snapshot Active Directory state using accounts granted replication permissions
Download portable Sigma rule (.yml)

Other platforms for T1003.006

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DCSync via Mimikatz lsadump::dcsync (krbtgt)

    Expected signal: Security EventID 4662 on DC: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All access from the running user's account. Sysmon EventID 1 on workstation: process creation for mimikatz.exe with lsadump::dcsync in CommandLine. Network traffic on DRSUAPI RPC ports from workstation to DC.

  2. Test 2DCSync via Impacket secretsdump (Remote)

    Expected signal: Security EventID 4662 on DC with DS-Replication-Get-Changes-All access from the provided account. Network connection from attacker IP to DC on port 445 and DRSUAPI RPC ports. SMB authentication events (EventID 4624) on DC from attacker IP.

  3. Test 3Check Account for Replication Rights (Reconnaissance)

    Expected signal: PowerShell ScriptBlock Log EventID 4104 with Get-ADDomain and Get-Acl commands. Security EventID 4662 for domain object read access. Network connection to DC for LDAP query.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1003.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1003OS Credential Dumping

Related Sub-techniques

T1003.001LSASS MemoryT1003.002Security Account ManagerT1003.003NTDST1003.004LSA SecretsT1003.005Cached Domain CredentialsT1003.007Proc FilesystemT1003.008/etc/passwd and /etc/shadow

Related Techniques

T1003OS Credential DumpingT1003.003NTDST1558.001Golden TicketT1550.003Pass the TicketT1078.002Domain AccountsT1098.001Additional Cloud Credentials

Same Tactic: Credential Access

Popular Detections