Agent-Skills.md

Agent Skills: Hunting for DCSync Attacks

Detect DCSync attacks by analyzing Windows Event ID 4662 for unauthorized DS-Replication-Get-Changes requests from non-domain-controller accounts.

UncategorizedID: plurigrid/asi/hunting-for-dcsync-attacks

Repository

plurigrid/asi
plurigridLicense: MIT
165

Install this agent skill to your local

pnpm dlx add-skill https://github.com/plurigrid/asi/tree/HEAD/plugins/asi/skills/hunting-for-dcsync-attacks

Skill Files

Browse the full folder contents for hunting-for-dcsync-attacks.

Download Skill

Loading file tree…

plugins/asi/skills/hunting-for-dcsync-attacks/SKILL.md

Skill Metadata

Name
hunting-for-dcsync-attacks
Description
Detect DCSync attacks by analyzing Windows Event ID 4662 for unauthorized DS-Replication-Get-Changes requests from non-domain-controller accounts.

Hunting for DCSync Attacks

When to Use

  • When hunting for DCSync credential theft (MITRE ATT&CK T1003.006)
  • After detecting Mimikatz or similar tools in the environment
  • During incident response involving Active Directory compromise
  • When monitoring for unauthorized domain replication requests
  • During purple team exercises testing AD attack detection

Prerequisites

  • Windows Security Event Log forwarding enabled (Event ID 4662)
  • Audit Directory Service Access enabled via Group Policy
  • Domain Computers SACL configured on Domain Object for machine account detection
  • SIEM with Windows event data ingested (Splunk, Elastic, Sentinel)
  • Knowledge of legitimate domain controller accounts and replication partners

Workflow

  1. Enable Auditing: Ensure Audit Directory Service Access is enabled on domain controllers.
  2. Collect Events: Gather Windows Event ID 4662 with AccessMask 0x100 (Control Access).
  3. Filter Replication GUIDs: Search for DS-Replication-Get-Changes and DS-Replication-Get-Changes-All.
  4. Identify Non-DC Sources: Flag events where SubjectUserName is not a domain controller machine account.
  5. Correlate with Network: Cross-reference source IPs against known DC addresses.
  6. Validate Findings: Exclude legitimate replication tools (Azure AD Connect, SCCM).
  7. Respond: Disable compromised accounts, reset krbtgt, investigate lateral movement.

Key Concepts

| Concept | Description | |---------|-------------| | DCSync | Technique abusing AD replication protocol to extract password hashes | | Event ID 4662 | Directory Service Access audit event | | DS-Replication-Get-Changes | GUID 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 | | DS-Replication-Get-Changes-All | GUID 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 | | AccessMask 0x100 | Control Access right indicating extended rights verification | | T1003.006 | OS Credential Dumping: DCSync |

Tools & Systems

| Tool | Purpose | |------|---------| | Windows Event Viewer | Direct event log analysis | | Splunk | SIEM correlation of Event 4662 | | Elastic Security | Detection rules for DCSync patterns | | Mimikatz lsadump::dcsync | Attack tool used to perform DCSync | | Impacket secretsdump.py | Python-based DCSync implementation | | BloodHound | Identify accounts with replication rights |

Output Format

Hunt ID: TH-DCSYNC-[DATE]-[SEQ]
Technique: T1003.006
Domain Controller: [DC hostname]
Subject Account: [Account performing replication]
Source IP: [Non-DC IP address]
GUID Accessed: [Replication GUID]
Risk Level: [Critical/High/Medium/Low]
Recommended Action: [Disable account, reset krbtgt, investigate]