Detects DCSync attacks in Active Directory by monitoring non-domain controller accounts requesting directory replication via DsGetNCChanges and Event ID 4662. Useful for threat hunting credential theft with Mimikatz or Impacket.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 在 Active Directory 环境中狩猎凭据盗取活动时
Detects DCSync attacks in Active Directory by monitoring Event ID 4662 for non-DC accounts accessing replication GUIDs via DsGetNCChanges. For threat hunting and incident response.
Detects DCSync attacks in Active Directory by monitoring Event ID 4662 for non-DC accounts requesting replication via DsGetNCChanges and specific GUIDs.
Detects DCSync attacks by analyzing Windows event ID 4662 for unauthorized DS-Replication-Get-Changes requests from non-domain controller accounts. For Active Directory threat hunting.
Share bugs, ideas, or general feedback.
| 概念 | 描述 |
|---|---|
| T1003.006 | 操作系统凭据转储:DCSync |
| DCSync | 模仿域控制器复制以提取凭据 |
| DsGetNCChanges | 用于请求 AD 复制数据的 RPC 函数 |
| DS-Replication-Get-Changes | 所需的 AD 权限(GUID:1131f6aa-...) |
| DS-Replication-Get-Changes-All | 包含机密属性的权限(GUID:1131f6ad-...) |
| MS-DRSR | 微软目录复制服务远程协议 |
| KRBTGT 哈希 | DCSync 的关键目标,可用于黄金票据(Golden Ticket)攻击 |
| 事件 ID 4662 | 目录服务对象访问审计事件 |
| 工具 | 用途 |
|---|---|
| Mimikatz (lsadump::dcsync) | 主要 DCSync 攻击工具 |
| Impacket secretsdump.py | 基于 Python 的 DCSync 实现 |
| DSInternals | 用于 AD 复制的 PowerShell 模块 |
| BloodHound | 映射具有复制权限的账户 |
| Splunk / Elastic | 4662 事件的 SIEM 关联 |
| Microsoft Defender for Identity | 原生 DCSync 检测 |
| CrowdStrike Falcon | 基于 EDR 的 DCSync 检测 |
index=wineventlog EventCode=4662
| where Properties IN ("*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*",
"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*",
"*89e95b76-444d-4c62-991a-0facbeda640c*")
| where NOT match(SubjectUserName, ".*\\$$")
| where NOT SubjectUserName IN ("known_svc_account1", "known_svc_account2")
| stats count values(Properties) as ReplicationRights by SubjectUserName SubjectDomainName Computer
| where count > 0
| table SubjectUserName SubjectDomainName Computer count ReplicationRights
SecurityEvent
| where EventID == 4662
| where Properties has "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"
or Properties has "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"
| where SubjectUserName !endswith "$"
| where SubjectUserName !in ("AzureADConnect", "MSOL_*")
| project TimeGenerated, SubjectUserName, SubjectDomainName, Computer, Properties
| sort by TimeGenerated desc
title: DCSync Activity Detected - Non-DC Replication Request
status: stable
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
Properties|contains:
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
filter_dc:
SubjectUserName|endswith: '$'
condition: selection and not filter_dc
level: critical
tags:
- attack.credential_access
- attack.t1003.006
lsadump::dcsync /user:krbtgt 提取 KRBTGT 哈希,用于创建黄金票据。secretsdump.py domain/user:password@dc-ip 进行远程 DCSync,提取所有域哈希。Get-ADReplAccount cmdlet 复制特定账户凭据。Hunt ID: TH-DCSYNC-[DATE]-[SEQ]
Alert Severity: Critical
Source Account: [请求复制的账户]
Source Machine: [请求者的主机名/IP]
Target DC: [接收请求的域控制器]
Replication Rights: [访问的 GUID]
Timestamp: [事件时间]
Legitimate DC: [是/否]
Known Service Account: [是/否]
Risk Assessment: [严重 - 检测到非域控制器复制]