Detect DCSync in CrowdStrike LogScale
Adversaries abuse the Windows Directory Replication Service (DRSUAPI) API to simulate replication from a domain controller and extract password data without direct access to the NTDS.dit file. Members of Administrators, Domain Admins, or Enterprise Admins groups can call IDL_DRSGetNCChanges to pull NTLM hashes and historical hashes for accounts including krbtgt. Mimikatz implements this as 'lsadump::dcsync'. Used by Mimikatz, Cobalt Strike, Earth Lusca, Mustang Panda, Storm-0501, and LAPSUS$. Enables Golden Ticket creation via krbtgt hash extraction.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1003 OS Credential Dumping
- Sub-technique
- T1003.006 DCSync
- Canonical reference
- https://attack.mitre.org/techniques/T1003/006/
LogScale Detection Query
#event_simpleName = ProcessRollup2
| regex("(?i)(lsadump::dcsync|dcsync|GetNCChanges|IDL_DRSGetNCChanges|drsuapi)", field=CommandLine)
| table([ContextTimeStamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, SHA256HashData])
| sort(field=ContextTimeStamp, order=desc)Detects DCSync tooling execution in CrowdStrike Falcon LogScale by monitoring ProcessRollup2 events for command lines matching known DRSUAPI and DCSync tool signatures including Mimikatz lsadump::dcsync, GetNCChanges, IDL_DRSGetNCChanges, and drsuapi. Captures process context including parent process and SHA256 hash for rapid attribution and hash-based blocking.
Data Sources
Required Tables
False Positives & Tuning
- Authorized red team or penetration testing engagements using Mimikatz or Cobalt Strike against in-scope domain controllers — these should be preceded by a change management record; correlate against the authorized test window
- Security researchers or detection engineers running Atomic Red Team tests (T1003.006) on dedicated lab hosts to validate detection coverage — these will produce identical process telemetry
- Domain administrators using repadmin.exe with verbose flags during replication troubleshooting may produce logs referencing GetNCChanges in diagnostic output written to child processes
Other platforms for T1003.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1DCSync via Mimikatz lsadump::dcsync (krbtgt)
Expected signal: Security EventID 4662 on DC: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All access from the running user's account. Sysmon EventID 1 on workstation: process creation for mimikatz.exe with lsadump::dcsync in CommandLine. Network traffic on DRSUAPI RPC ports from workstation to DC.
- Test 2DCSync via Impacket secretsdump (Remote)
Expected signal: Security EventID 4662 on DC with DS-Replication-Get-Changes-All access from the provided account. Network connection from attacker IP to DC on port 445 and DRSUAPI RPC ports. SMB authentication events (EventID 4624) on DC from attacker IP.
- Test 3Check Account for Replication Rights (Reconnaissance)
Expected signal: PowerShell ScriptBlock Log EventID 4104 with Get-ADDomain and Get-Acl commands. Security EventID 4662 for domain object read access. Network connection to DC for LDAP query.
References (6)
- https://attack.mitre.org/techniques/T1003/006/
- https://adsecurity.org/?p=1729
- https://msdn.microsoft.com/library/cc228086.aspx
- https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
- https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md
Unlock Pro Content
Get the full detection package for T1003.006 including response playbook, investigation guide, and atomic red team tests.