Executive Summary
DCSync abuses Active Directory replication rights to request password-derived data as though the requester were a domain controller. The request can originate from a non-domain-controller system and may expose high-impact credential material, including data associated with privileged accounts. The defining behavior is unauthorized directory replication, not direct access to ntds.dit on disk.
Why Attackers Use It
- Replication APIs provide credential data remotely without logging on to a domain controller interactively.
- Compromise of one sufficiently delegated identity can expose many domain credentials.
- Legitimate replication traffic already exists between domain controllers.
- The technique supports persistence and further ticket-forging activity when highly privileged secrets are obtained.
MITRE Description
MITRE classifies DCSync as T1003.006. An adversary with directory-replication permissions calls the Directory Replication Service Remote Protocol and requests replication changes. Rights commonly relevant to the technique include Replicating Directory Changes and Replicating Directory Changes All. Domain controllers require these capabilities legitimately; ordinary users and workstations generally do not.
Attack Flow
- The adversary compromises an account or principal with directory-replication rights, or grants those rights through an earlier control-plane change.
- The source locates a domain controller and establishes RPC-based directory-replication communication.
- The source requests replication data for selected objects or a broader naming context.
- Returned credential material is parsed and stored.
- Recovered material is used for account access, Pass the Hash, ticket forging, or persistence.
Prerequisites
- A domain identity with the necessary replication permissions.
- Network connectivity to a domain controller over RPC.
- Knowledge of the target domain and relevant account or naming context.
- An API client capable of issuing replication requests.
Common Tools
- Mimikatz DCSync functionality
- Impacket
secretsdump
- Directory-replication libraries and custom DRSR clients
- Native administration tools used to inspect or modify replication permissions
Commands
Recognition patterns for authorized directory-security validation:
mimikatz "lsadump::dcsync /domain:<domain> /user:<account>"
secretsdump.py <domain>/<user>@<domain-controller> -just-dc-user <account>
These operations are highly sensitive and should only be performed in an explicitly authorized laboratory or assessment.
Network Traffic
- The client first reaches the RPC endpoint mapper on TCP 135, then uses negotiated dynamic RPC ports.
- DRSUAPI replication operations are expected between domain controllers but suspicious from workstations, member servers, or unfamiliar management hosts.
- Network detections should focus on source role and novelty rather than blocking all replication RPC.
- Encrypted RPC may limit payload inspection, making endpoint and directory auditing important.
Windows Events
| Event ID | Channel | Defensive relevance |
|---|
| 4662 | Security on domain controllers | Directory-service object operation. With appropriate auditing, replication-control GUIDs can expose DCSync behavior. |
| 4624 | Security | Shows the account and source logon associated with access to the domain controller. |
| 4672 | Security | Identifies special privileges assigned to the requesting logon session. |
| 5136 | Security | Directory object modification; relevant when an adversary grants replication rights before DCSync. |
Sysmon Events
| Event ID | Name | Defensive relevance |
|---|
| 1 | Process creation | Captures replication tooling on a monitored source. |
| 3 | Network connection | Shows RPC connectivity from a non-domain-controller source to a domain controller. |
| 11 | File creation | May expose credential-output files created by tooling. |
Detection Opportunities
- Alert when replication-right GUIDs appear in Event 4662 for a subject that is not an approved domain-controller account or replication service.
- Detect DRSUAPI traffic to domain controllers from systems outside the domain-controller and authorized-management inventories.
- Monitor changes that grant replication rights to users, groups, or service principals.
- Correlate suspicious 4662 activity with 4624 source information, process execution, credential-output files, and later authentication.
- Maintain a reviewed allowlist of domain controllers and legitimate identity-management products rather than excluding all machine accounts blindly.
Sigma Rules
title: Directory Replication Request by a Non-Machine Account
id: c7c3c44b-49df-45e6-b48d-3f6daac6f498
status: experimental
description: Detects Active Directory replication-control access by a subject that is not a machine account.
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
Properties|contains:
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
- '89e95b76-444d-4c62-991a-0facbeda640c'
filter_machine:
SubjectUserName|endswith: '$'
condition: selection and not filter_machine
falsepositives:
- Authorized identity-management and directory-recovery products
level: high
tags:
- attack.credential-access
- attack.t1003.006
Splunk Queries
index=windows sourcetype="WinEventLog:Security" EventCode=4662
(Properties="*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*" OR Properties="*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*" OR Properties="*89e95b76-444d-4c62-991a-0facbeda640c*")
| where NOT like(SubjectUserName,"%$")
| stats count values(ObjectName) as objects values(Properties) as rights by _time host SubjectUserName SubjectDomainName
Investigation Workflow
- Identify the requesting subject, logon ID, source address, domain controller, object, and replication GUIDs.
- Determine whether the subject and source are approved for directory replication or identity-management operations.
- Review directory changes that granted or modified replication rights before the event.
- Examine source-host processes, binaries, command lines, output files, and RPC connections.
- Determine which directory objects were requested and assume broader credential exposure if scope cannot be established reliably.
- Search for subsequent authentication, ticket forging, privilege changes, and persistence involving privileged identities.
- Review all other use of the requesting principal and replication rights across the forest.
Containment
- Disable or restrict the compromised principal and remove unauthorized replication rights.
- Isolate the source system when malicious tooling is confirmed.
- Rotate exposed account credentials using a domain-recovery sequence appropriate to the assessed scope.
- Invalidate active sessions and investigate forged or anomalous Kerberos tickets.
- Preserve domain-controller security logs and directory-change evidence.
Mitigation
- Limit replication rights to domain controllers and explicitly approved services.
- Audit control-access operations on directory objects and retain domain-controller security logs centrally.
- Monitor changes to domain and configuration naming-context permissions.
- Protect privileged identities with separate administration, hardened workstations, and strong authentication.
- Regularly review principals holding replication rights and remove stale delegations.
- Segment RPC access to domain controllers according to operational requirements.
Related Techniques
- T1003 — OS Credential Dumping
- T1087.002 — Domain Account Discovery
- T1482 — Domain Trust Discovery
- T1558.001 — Golden Ticket