T1003.006 Microsoft Sentinel · KQL

Detect DCSync in Microsoft Sentinel

Adversaries abuse the Windows Directory Replication Service (DRSUAPI) API to simulate replication from a domain controller and extract password data without direct access to the NTDS.dit file. Members of Administrators, Domain Admins, or Enterprise Admins groups can call IDL_DRSGetNCChanges to pull NTLM hashes and historical hashes for accounts including krbtgt. Mimikatz implements this as 'lsadump::dcsync'. Used by Mimikatz, Cobalt Strike, Earth Lusca, Mustang Panda, Storm-0501, and LAPSUS$. Enables Golden Ticket creation via krbtgt hash extraction.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1003 OS Credential Dumping
Sub-technique
T1003.006 DCSync
Canonical reference
https://attack.mitre.org/techniques/T1003/006/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let DCSyncAuditEvents = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4662
| where ObjectType in~ ("domainDNS", "domain")
// DS-Replication-Get-Changes (1131f6aa) and DS-Replication-Get-Changes-All (1131f6ad)
| where Properties has "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"
    or Properties has "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"
    or AccessMask == "0x100"
// Exclude machine accounts (DCs replicate normally)
| where not(SubjectUserName endswith "$")
// Exclude known sync accounts (e.g., Azure AD Connect)
| project TimeGenerated, Computer, SubjectUserName, SubjectDomainName,
          ObjectName, AccessMask, Properties;
let DCSyncTooling = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (
    "lsadump::dcsync", "dcsync", "DCSync",
    "drsuapi", "GetNCChanges", "IDL_DRSGetNCChanges"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine;
union DCSyncAuditEvents, DCSyncTooling
| sort by TimeGenerated desc, Timestamp desc
critical severity high confidence

Detects DCSync attacks via two vectors: (1) Security Event ID 4662 showing DS-Replication-Get-Changes access from non-machine accounts on domain controllers (the network-based detection), and (2) process creation events for DCSync tooling like Mimikatz lsadump::dcsync. The EventID 4662 approach is the most reliable as it captures the actual replication request at the DC.

Data Sources

Active Directory: Active Directory Object AccessProcess: Process CreationWindows Security Event Log

Required Tables

SecurityEventDeviceProcessEvents

False Positives & Tuning

  • Azure AD Connect and other legitimate directory synchronization services that use DRSUAPI (configure an explicit exclusion for the sync account)
  • Active Directory replication between domain controllers — machine accounts (ending in $) are excluded but verify the exclusion is complete
  • Privileged Identity Management (PIM) tooling that reads directory data via replication APIs
  • Directory Services administrative tools run by authorized AD administrators during maintenance
Download portable Sigma rule (.yml)

Other platforms for T1003.006

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DCSync via Mimikatz lsadump::dcsync (krbtgt)

    Expected signal: Security EventID 4662 on DC: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All access from the running user's account. Sysmon EventID 1 on workstation: process creation for mimikatz.exe with lsadump::dcsync in CommandLine. Network traffic on DRSUAPI RPC ports from workstation to DC.

  2. Test 2DCSync via Impacket secretsdump (Remote)

    Expected signal: Security EventID 4662 on DC with DS-Replication-Get-Changes-All access from the provided account. Network connection from attacker IP to DC on port 445 and DRSUAPI RPC ports. SMB authentication events (EventID 4624) on DC from attacker IP.

  3. Test 3Check Account for Replication Rights (Reconnaissance)

    Expected signal: PowerShell ScriptBlock Log EventID 4104 with Get-ADDomain and Get-Acl commands. Security EventID 4662 for domain object read access. Network connection to DC for LDAP query.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1003.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1003OS Credential Dumping

Related Sub-techniques

T1003.001LSASS MemoryT1003.002Security Account ManagerT1003.003NTDST1003.004LSA SecretsT1003.005Cached Domain CredentialsT1003.007Proc FilesystemT1003.008/etc/passwd and /etc/shadow

Related Techniques

T1003OS Credential DumpingT1003.003NTDST1558.001Golden TicketT1550.003Pass the TicketT1078.002Domain AccountsT1098.001Additional Cloud Credentials

Same Tactic: Credential Access

Popular Detections