Keypoints
- DCSync simulates a domain controller to request replication data via Directory Replication Service (DRSR) APIs.
- Attackers with Domain Admin, Administrator, or certain computer account privileges can extract password hashes.
- Extracted hashes include KRBTGT and admin accounts and can be used to create Golden Tickets.
- Tools like Mimikatz (lsadump/NetSync) implement DCSync over modern and legacy replication protocols.
- Monitor domain replication activity and unexpected replication sources to detect DCSync attempts.
Description:
- Like a forged passport letting someone pass as an official inspector, DCSync impersonates a domain controller to request a vault of account credentials and travel through the network undetected.
- DCSync calls domain controller replication APIs to retrieve password hashes and other sensitive Active Directory data; attackers use those hashes to create forged Kerberos tickets, move laterally, and maintain persistent, stealthy access, making it a high-impact credential theft technique.
Detection:
- Audit and monitor Windows Security and Directory Services logs for unusual replication requests using Event IDs related to DRS replication and DRSR calls.
- Alert on replication requests (DRSR/NRPC/SAMR) originating from IPs or hosts that are not known domain controllers.
- Use network traffic inspection to detect DRSR/NRPC protocol activity to DCs from unexpected endpoints; capture full packet content where possible for verification.
- Correlate privileged account activity (Domain Admin, Enterprise Admin, DC computer accounts) with replication requests to spot anomalous timing or frequency.
- Watch for use of tools known to implement DCSync (e.g., Mimikatz lsadump/NetSync) by endpoint detection telemetry and command-line monitoring on high-value hosts.
- Account for the default domain controller account caveat: verify nonstandard accounts and machine accounts, and enable enhanced logging where DC default-account logging gaps exist.
- Follow best practices: restrict which principals have Replicating Directory Changes rights, rotate KRBTGT regularly, enforce least privilege, and maintain SIEM rules to reduce false positives by tuning for scheduled replication windows and known DC-to-DC flows.
Tactics:
Credential Access
Platforms:
Windows
Data Sources:
Active Directory: Active Directory Object Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Relationship Citations:
(Citation: Cobalt Strike Manual 4.3 November 2020),(Citation: FoxIT Wocao December 2019),(Citation: NCSC Joint Report Public Tools),(Citation: MSTIC DEV-0537 Mar 2022),(Citation: TrendMicro EarthLusca 2022),(Citation: Directory Services Internals DPAPI Backup Keys Oct 2015),(Citation: Microsoft Deep Dive Solorigate January 2021),(Citation: CrowdStrike StellarParticle January 2022),(Citation: Crowdstrike TELCO BPO Campaign December 2022),(Citation: Deply Mimikatz),(Citation: GitHub Mimikatz lsadump Module),(Citation: Microsoft 365 Defender Solorigate),(Citation: Microsoft Replication ACL),(Citation: ADSecurity Mimikatz DCSync)