detecting-dcsync-attack-in-active-directory

# Detecting DCSync Attack in Active Directory ## When to Use - When hunting for credential theft in Active Directory environments - After compromise of accounts with Replicating Directory Changes permissions - When investigating suspected use of Mimikatz or Impacket secretsdump - During incident response involving lateral movement with domain admin credentials - When auditing AD replication permissions as part of security hardening ## Prerequisites - Windows Security Event Logs with Event ID 4662 (Object Access) enabled - Advanced Audit Policy: Audit Directory Service Access enabled - Domain Controller event forwarding to SIEM - Knowledge of legitimate domain controller hostnames and IPs - Directory Service Access auditing with SACL on domain object ## Workflow 1. **Identify Legitimate Replication Sources**: Document all domain controllers in the environment by hostname, IP, and computer account. Only these should perform directory replication. 2. **Enable Required Auditing**: Configure Advanced Audit Policy to capture Event ID 4662 on domain controllers with specific GUID monitoring for replication rights. 3. **Monitor Replication Rights Access**: Track access to three critical GUIDs -- DS-Replication-Get-Changes (1131f6aa-9c07-11d1-f79f-00c04fc2dcd2), DS-Replication-Get-Changes-All (1131f6ad-9c07-11d1-f79f-00c04fc2dcd2), and DS-Replication-Get-Changes-In-Filtered-Set (89e95b76-444d-4c62-991a-0facbeda640c). 4. **Detect Non-DC Replication Requests**: Alert when any acco...