hunting-for-dcsync-attacks

# Hunting for DCSync Attacks ## When to Use - When hunting for DCSync credential theft (MITRE ATT&CK T1003.006) - After detecting Mimikatz or similar tools in the environment - During incident response involving Active Directory compromise - When monitoring for unauthorized domain replication requests - During purple team exercises testing AD attack detection ## Prerequisites - Windows Security Event Log forwarding enabled (Event ID 4662) - Audit Directory Service Access enabled via Group Policy - Domain Computers SACL configured on Domain Object for machine account detection - SIEM with Windows event data ingested (Splunk, Elastic, Sentinel) - Knowledge of legitimate domain controller accounts and replication partners ## Workflow 1. **Enable Auditing**: Ensure Audit Directory Service Access is enabled on domain controllers. 2. **Collect Events**: Gather Windows Event ID 4662 with AccessMask 0x100 (Control Access). 3. **Filter Replication GUIDs**: Search for DS-Replication-Get-Changes and DS-Replication-Get-Changes-All. 4. **Identify Non-DC Sources**: Flag events where SubjectUserName is not a domain controller machine account. 5. **Correlate with Network**: Cross-reference source IPs against known DC addresses. 6. **Validate Findings**: Exclude legitimate replication tools (Azure AD Connect, SCCM). 7. **Respond**: Disable compromised accounts, reset krbtgt, investigate lateral movement. ## Key Concepts | Concept | Description | |---------|-------------| | DCSync | Te...