Hunting for DCSync Attacks

When to Use

• When hunting for DCSync credential theft (MITRE ATT&CK T1003.006)
• After detecting Mimikatz or similar tools in the environment
• During incident response involving Active Directory compromise
• When monitoring for unauthorized domain replication requests
• During purple team exercises testing AD attack detection

Prerequisites

• Windows Security Event Log forwarding enabled (Event ID 4662)
• Audit Directory Service Access enabled via Group Policy
• Domain Computers SACL configured on Domain Object for machine account detection
• SIEM with Windows event data ingested (Splunk, Elastic, Sentinel)
• Knowledge of legitimate domain controller accounts and replication partners

Workflow