T1003.006 IBM QRadar · QRadar

Detect DCSync in IBM QRadar

Adversaries abuse the Windows Directory Replication Service (DRSUAPI) API to simulate replication from a domain controller and extract password data without direct access to the NTDS.dit file. Members of Administrators, Domain Admins, or Enterprise Admins groups can call IDL_DRSGetNCChanges to pull NTLM hashes and historical hashes for accounts including krbtgt. Mimikatz implements this as 'lsadump::dcsync'. Used by Mimikatz, Cobalt Strike, Earth Lusca, Mustang Panda, Storm-0501, and LAPSUS$. Enables Golden Ticket creation via krbtgt hash extraction.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1003 OS Credential Dumping
Sub-technique
T1003.006 DCSync
Canonical reference
https://attack.mitre.org/techniques/T1003/006/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  username AS subject_account,
  "Account Domain" AS subject_domain,
  "Object Name" AS object_name,
  "Object Type" AS object_type,
  "Properties" AS properties,
  "Access Mask" AS access_mask,
  CASE
    WHEN "Properties" ILIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' THEN 'DS-Replication-Get-Changes'
    WHEN "Properties" ILIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' THEN 'DS-Replication-Get-Changes-All'
    ELSE 'Replication-Access-0x100'
  END AS replication_right
FROM events
WHERE
  LOGSOURCETYPEID = 12
  AND "EventID" = '4662'
  AND (
    "Object Type" ILIKE 'domainDNS'
    OR "Object Type" ILIKE 'domain'
  )
  AND (
    "Properties" ILIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%'
    OR "Properties" ILIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%'
    OR "Access Mask" = '0x100'
  )
  AND username NOT LIKE '%$'
  AND starttime > CURRENT_TIMESTAMP - 86400000
ORDER BY starttime DESC
LIMIT 1000
critical severity high confidence

Detects DCSync attacks in IBM QRadar by querying Windows Security Event ID 4662 from Microsoft Windows Security Event Log sources (LOGSOURCETYPEID=12). Filters for DRSUAPI replication GUIDs in the Properties field on domainDNS and domain object types, excludes machine accounts, and classifies the specific replication right for analyst triage.

Data Sources

Microsoft Windows Security Event Log (LOGSOURCETYPEID=12)Microsoft Windows Sysmon (LOGSOURCETYPEID=396)

Required Tables

events

False Positives & Tuning

  • Azure AD Connect or Microsoft Directory Synchronization service accounts performing scheduled replication cycles — these will generate Event 4662 with the replication GUIDs on a predictable schedule aligned with sync intervals
  • On-premises Active Directory replication health monitoring tools that use service accounts with DS-Replication-Get-Changes rights to validate replication topology and detect replication failures
  • Privileged access management (PAM) solutions that perform just-in-time group membership checks or access reviews against domain objects using delegated replication permissions
Download portable Sigma rule (.yml)

Other platforms for T1003.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DCSync via Mimikatz lsadump::dcsync (krbtgt)

    Expected signal: Security EventID 4662 on DC: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All access from the running user's account. Sysmon EventID 1 on workstation: process creation for mimikatz.exe with lsadump::dcsync in CommandLine. Network traffic on DRSUAPI RPC ports from workstation to DC.

  2. Test 2DCSync via Impacket secretsdump (Remote)

    Expected signal: Security EventID 4662 on DC with DS-Replication-Get-Changes-All access from the provided account. Network connection from attacker IP to DC on port 445 and DRSUAPI RPC ports. SMB authentication events (EventID 4624) on DC from attacker IP.

  3. Test 3Check Account for Replication Rights (Reconnaissance)

    Expected signal: PowerShell ScriptBlock Log EventID 4104 with Get-ADDomain and Get-Acl commands. Security EventID 4662 for domain object read access. Network connection to DC for LDAP query.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1003.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1003OS Credential Dumping

Related Sub-techniques

T1003.001LSASS MemoryT1003.002Security Account ManagerT1003.003NTDST1003.004LSA SecretsT1003.005Cached Domain CredentialsT1003.007Proc FilesystemT1003.008/etc/passwd and /etc/shadow

Related Techniques

T1003OS Credential DumpingT1003.003NTDST1558.001Golden TicketT1550.003Pass the TicketT1078.002Domain AccountsT1098.001Additional Cloud Credentials

Same Tactic: Credential Access

Popular Detections