hunting-for-dcsync-attacks
Detect DCSync attacks by analyzing Windows Event ID 4662 for unauthorized DS-Replication-Get-Changes requests from non-domain-controller accounts.
Best use case
hunting-for-dcsync-attacks is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Detect DCSync attacks by analyzing Windows Event ID 4662 for unauthorized DS-Replication-Get-Changes requests from non-domain-controller accounts.
Teams using hunting-for-dcsync-attacks should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/hunting-for-dcsync-attacks/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How hunting-for-dcsync-attacks Compares
| Feature / Agent | hunting-for-dcsync-attacks | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Detect DCSync attacks by analyzing Windows Event ID 4662 for unauthorized DS-Replication-Get-Changes requests from non-domain-controller accounts.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Hunting for DCSync Attacks ## When to Use - When hunting for DCSync credential theft (MITRE ATT&CK T1003.006) - After detecting Mimikatz or similar tools in the environment - During incident response involving Active Directory compromise - When monitoring for unauthorized domain replication requests - During purple team exercises testing AD attack detection ## Prerequisites - Windows Security Event Log forwarding enabled (Event ID 4662) - Audit Directory Service Access enabled via Group Policy - Domain Computers SACL configured on Domain Object for machine account detection - SIEM with Windows event data ingested (Splunk, Elastic, Sentinel) - Knowledge of legitimate domain controller accounts and replication partners ## Workflow 1. **Enable Auditing**: Ensure Audit Directory Service Access is enabled on domain controllers. 2. **Collect Events**: Gather Windows Event ID 4662 with AccessMask 0x100 (Control Access). 3. **Filter Replication GUIDs**: Search for DS-Replication-Get-Changes and DS-Replication-Get-Changes-All. 4. **Identify Non-DC Sources**: Flag events where SubjectUserName is not a domain controller machine account. 5. **Correlate with Network**: Cross-reference source IPs against known DC addresses. 6. **Validate Findings**: Exclude legitimate replication tools (Azure AD Connect, SCCM). 7. **Respond**: Disable compromised accounts, reset krbtgt, investigate lateral movement. ## Key Concepts | Concept | Description | |---------|-------------| | DCSync | Technique abusing AD replication protocol to extract password hashes | | Event ID 4662 | Directory Service Access audit event | | DS-Replication-Get-Changes | GUID 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 | | DS-Replication-Get-Changes-All | GUID 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 | | AccessMask 0x100 | Control Access right indicating extended rights verification | | T1003.006 | OS Credential Dumping: DCSync | ## Tools & Systems | Tool | Purpose | |------|---------| | Windows Event Viewer | Direct event log analysis | | Splunk | SIEM correlation of Event 4662 | | Elastic Security | Detection rules for DCSync patterns | | Mimikatz lsadump::dcsync | Attack tool used to perform DCSync | | Impacket secretsdump.py | Python-based DCSync implementation | | BloodHound | Identify accounts with replication rights | ## Output Format ``` Hunt ID: TH-DCSYNC-[DATE]-[SEQ] Technique: T1003.006 Domain Controller: [DC hostname] Subject Account: [Account performing replication] Source IP: [Non-DC IP address] GUID Accessed: [Replication GUID] Risk Level: [Critical/High/Medium/Low] Recommended Action: [Disable account, reset krbtgt, investigate] ```