Detect DCSync in Splunk
Adversaries abuse the Windows Directory Replication Service (DRSUAPI) API to simulate replication from a domain controller and extract password data without direct access to the NTDS.dit file. Members of Administrators, Domain Admins, or Enterprise Admins groups can call IDL_DRSGetNCChanges to pull NTLM hashes and historical hashes for accounts including krbtgt. Mimikatz implements this as 'lsadump::dcsync'. Used by Mimikatz, Cobalt Strike, Earth Lusca, Mustang Panda, Storm-0501, and LAPSUS$. Enables Golden Ticket creation via krbtgt hash extraction.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1003 OS Credential Dumping
- Sub-technique
- T1003.006 DCSync
- Canonical reference
- https://attack.mitre.org/techniques/T1003/006/
SPL Detection Query
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4662
(Object_Type="domainDNS" OR Object_Type="domain")
(Properties="*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*" OR Properties="*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*" OR Access_Mask="0x100")
NOT Subject_Account_Name="*$"
| eval ReplicationRight=case(
match(Properties, "1131f6aa"), "DS-Replication-Get-Changes",
match(Properties, "1131f6ad"), "DS-Replication-Get-Changes-All",
Access_Mask="0x100", "Replication-Access-0x100",
1==1, "Unknown"
)
| table _time, host, Subject_Account_Name, Subject_Domain, Object_Name, Access_Mask, ReplicationRight
| sort - _time
| append
[search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(CommandLine="*dcsync*" OR CommandLine="*lsadump::dcsync*" OR CommandLine="*GetNCChanges*")
| table _time, host, Image, CommandLine, User]Detects DCSync replication attacks using Security Event ID 4662 for DS-Replication-Get-Changes(-All) access rights from non-machine accounts, combined with Sysmon Event ID 1 for DCSync tool command patterns. The GUID 1131f6aa is DS-Replication-Get-Changes and 1131f6ad is DS-Replication-Get-Changes-All — both are required for full hash extraction.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Azure AD Connect service account performing Password Hash Synchronization via DRSUAPI
- Domain controller-to-domain controller replication (excluded via machine account filter)
- SCCM or other management tools querying domain replication status
- Authorized penetration testing with documented scope
Other platforms for T1003.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1DCSync via Mimikatz lsadump::dcsync (krbtgt)
Expected signal: Security EventID 4662 on DC: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All access from the running user's account. Sysmon EventID 1 on workstation: process creation for mimikatz.exe with lsadump::dcsync in CommandLine. Network traffic on DRSUAPI RPC ports from workstation to DC.
- Test 2DCSync via Impacket secretsdump (Remote)
Expected signal: Security EventID 4662 on DC with DS-Replication-Get-Changes-All access from the provided account. Network connection from attacker IP to DC on port 445 and DRSUAPI RPC ports. SMB authentication events (EventID 4624) on DC from attacker IP.
- Test 3Check Account for Replication Rights (Reconnaissance)
Expected signal: PowerShell ScriptBlock Log EventID 4104 with Get-ADDomain and Get-Acl commands. Security EventID 4662 for domain object read access. Network connection to DC for LDAP query.
References (6)
- https://attack.mitre.org/techniques/T1003/006/
- https://adsecurity.org/?p=1729
- https://msdn.microsoft.com/library/cc228086.aspx
- https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
- https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md
Unlock Pro Content
Get the full detection package for T1003.006 including response playbook, investigation guide, and atomic red team tests.