Detect DCSync in Sumo Logic CSE
Adversaries abuse the Windows Directory Replication Service (DRSUAPI) API to simulate replication from a domain controller and extract password data without direct access to the NTDS.dit file. Members of Administrators, Domain Admins, or Enterprise Admins groups can call IDL_DRSGetNCChanges to pull NTLM hashes and historical hashes for accounts including krbtgt. Mimikatz implements this as 'lsadump::dcsync'. Used by Mimikatz, Cobalt Strike, Earth Lusca, Mustang Panda, Storm-0501, and LAPSUS$. Enables Golden Ticket creation via krbtgt hash extraction.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1003 OS Credential Dumping
- Sub-technique
- T1003.006 DCSync
- Canonical reference
- https://attack.mitre.org/techniques/T1003/006/
Sumo Detection Query
_sourceCategory=windows/security EventCode=4662
| where Object_Type="domainDNS" OR Object_Type="domain"
| where (Properties matches "*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*"
OR Properties matches "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*"
OR Access_Mask="0x100")
| where !(Subject_Account_Name matches "*$")
| if (Properties matches "*1131f6aa*", "DS-Replication-Get-Changes",
if (Properties matches "*1131f6ad*", "DS-Replication-Get-Changes-All",
"Replication-Access-0x100")) as ReplicationRight
| fields _messageTime, _sourceHost, Subject_Account_Name, Subject_Domain_Name, Object_Name, Access_Mask, ReplicationRight
| sort by _messageTime descDetects DCSync attacks in Sumo Logic by parsing Windows Security Event 4662 for DRSUAPI replication GUIDs on domain object types. Excludes machine accounts (domain controllers performing normal replication) and enriches each event with the specific replication right requested — DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, or the 0x100 access mask variant — to accelerate analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Azure AD Connect sync accounts (MSOL_*, AZUREADSSOACC*) performing scheduled directory synchronization — add these known accounts with a NOT clause on Subject_Account_Name to suppress recurring alerts
- Okta, Ping Identity, or similar identity provider agents that connect to on-premises Active Directory for user provisioning or attribute sync using accounts with delegated replication rights
- Custom compliance or audit scripts run by domain administrators that query replication metadata using repadmin.exe or LDAP with accounts that have been granted DS-Replication-Get-Changes
Other platforms for T1003.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1DCSync via Mimikatz lsadump::dcsync (krbtgt)
Expected signal: Security EventID 4662 on DC: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All access from the running user's account. Sysmon EventID 1 on workstation: process creation for mimikatz.exe with lsadump::dcsync in CommandLine. Network traffic on DRSUAPI RPC ports from workstation to DC.
- Test 2DCSync via Impacket secretsdump (Remote)
Expected signal: Security EventID 4662 on DC with DS-Replication-Get-Changes-All access from the provided account. Network connection from attacker IP to DC on port 445 and DRSUAPI RPC ports. SMB authentication events (EventID 4624) on DC from attacker IP.
- Test 3Check Account for Replication Rights (Reconnaissance)
Expected signal: PowerShell ScriptBlock Log EventID 4104 with Get-ADDomain and Get-Acl commands. Security EventID 4662 for domain object read access. Network connection to DC for LDAP query.
References (6)
- https://attack.mitre.org/techniques/T1003/006/
- https://adsecurity.org/?p=1729
- https://msdn.microsoft.com/library/cc228086.aspx
- https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
- https://blog.harmj0y.net/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md
Unlock Pro Content
Get the full detection package for T1003.006 including response playbook, investigation guide, and atomic red team tests.