How to Detect DCSync Attacks Against Active Directory

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
DCSync is one of the most consequential credential theft techniques in Active Directory environments because it requires no footprint on a domain controller and extracts hashes for any account: including krbtgt, which enables Golden Ticket attacks that persist for years.
The technique works because domain controllers replicate password data with each other using the MS-DRSR protocol. Any principal with the right permissions can initiate replication requests. Attackers exploit this by granting themselves replication permissions (or compromising an account that already has them) and then requesting hash replication as if they were a DC.
What Legitimate Replication vs. DCSync Looks Like
Normal AD replication happens between domain controllers. Legitimate replication requests:
- Source: a domain controller computer account (ending in $)
- Destination: another domain controller
- Scheduled automatically by the KCC (Knowledge Consistency Checker)
DCSync attack:
- Source: a non-DC account (a user, workstation, or service account)
- The source initiates replication using Mimikatz, Impacket's secretsdump.py, or similar tools
- From any machine that has network connectivity to a DC on port 135 (RPC endpoint mapper)
DCSync with Mimikatz (what it looks like to an attacker):
# Dump all hashes from the domain
mimikatz# lsadump::dcsync /domain:corp.local /all /csv
# Dump a specific account (most valuable: krbtgt, Administrator)
mimikatz# lsadump::dcsync /domain:corp.local /user:krbtgt
# Output includes:
# [DC] 'corp.local' will be the domain
# [rpc] Service : ldap
# [rpc] AuthnSvc : GSS_NEGOTIATE (9)
# Object RDN : krbtgt
# Hash NTLM: 9b3e7d8a5c2f4e1b6d0a8c3f7e2b4d9a
# ntlm-0: 9b3e7d8a5c2f4e1b6d0a8c3f7e2b4d9a
# lm-0: (not set)
Impacket secretsdump.py (Linux-based):
# From any machine with network access to the DC
python3 secretsdump.py corp.local/attackeraccount:password@dc01.corp.local
# Or using a hash directly (after Pass-the-Hash)
python3 secretsdump.py -hashes :NTLM_HASH corp.local/attackeraccount@dc01.corp.local
Detection: Event ID 4662 with Replication GUIDs
DCSync generates Event ID 4662 on domain controllers: 'An operation was performed on an object': when the replication rights are exercised. The key is filtering on the specific GUIDs that identify directory replication operations.
The replication GUIDs to watch:
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 : Replicating Directory Changes
1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 : Replicating Directory Changes All (the dangerous one)
89e95b76-444d-4c62-991a-0facbeda640c : Replicating Directory Changes In Filtered Set
Prerequisite: Event 4662 requires the "Audit Directory Service Access" policy to be enabled:
Computer Configuration > Windows Settings > Security Settings >
Advanced Audit Policy > DS Access > Audit Directory Service Access > Success
Microsoft Sentinel KQL: DCSync detection:
SecurityEvent
| where EventID == 4662
| where ObjectType contains "domainDNS"
| where Properties has_any (
"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2",
"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2",
"89e95b76-444d-4c62-991a-0facbeda640c"
)
| where AccountName !endswith "$" // Exclude DC machine accounts (legitimate replication)
| where AccountName != "MSOL_*" // Exclude Azure AD Sync service accounts
| project
TimeGenerated,
SubjectAccount = AccountName,
SubjectDomain = SubjectDomainName,
SourceComputer = Computer,
Properties
| sort by TimeGenerated desc
Splunk SPL: DCSync detection:
index=wineventlog EventCode=4662
| where ObjectType="domainDNS"
| where (Properties LIKE "%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%"
OR Properties LIKE "%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%"
OR Properties LIKE "%89e95b76-444d-4c62-991a-0facbeda640c%")
| where NOT match(Security_ID, ".*\$@?$") /* Exclude machine accounts */
| where NOT match(Account_Name, "MSOL_.*") /* Exclude Azure AD Sync */
| table _time, Account_Name, Account_Domain, Logon_ID, host, Properties
| sort -_time
Tuning out false positives:
- Azure AD Connect / MSOL_ accounts perform legitimate directory replication: add them to an exclusion list
- Third-party AD sync tools (Okta AD agent, etc.) may also generate these events: identify legitimate sync accounts and exclude by name
- Remaining events after exclusion are very high confidence
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Prevention: Audit and Restrict Replication Permissions
The best DCSync prevention is ensuring only domain controller machine accounts have replication rights. Audit this regularly.
PowerShell: Find all principals with replication rights:
# Check who has replication permissions on the domain NC
$domainDN = (Get-ADDomain).DistinguishedName
$acl = Get-Acl "AD:\$domainDN"
# Filter for Replicating Directory Changes (All)
$replicationGuids = @(
"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2", # Replicating Directory Changes
"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" # Replicating Directory Changes All
)
$acl.Access | Where-Object {
$_.ObjectType.ToString() -in $replicationGuids -and
$_.AccessControlType -eq 'Allow'
} | Select-Object IdentityReference, ObjectType, AccessControlType | Sort-Object IdentityReference
Expected legitimate entries:
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
NT AUTHORITY\SYSTEM
CORP\Domain Controllers
CORP\Enterprise Read-only Domain Controllers
CORP\MSOL_<guid> (Azure AD Connect: only if used)
CORP\Administrators (by default: consider removing if not needed)
Remove replication rights from a non-DC account:
# If a non-DC account has been granted replication rights, remove it
$domainDN = (Get-ADDomain).DistinguishedName
$acl = Get-Acl "AD:\$domainDN"
$accountToRemove = "CORP\compromised-service-account"
$acl.Access | Where-Object {
$_.IdentityReference -eq $accountToRemove
} | ForEach-Object {
$acl.RemoveAccessRule($_)
}
Set-Acl "AD:\$domainDN" $acl
Regular audit schedule: Run the permission audit monthly and alert on any changes to the ACL of the domain NC object: a new entry granting replication rights is a critical incident indicator.
Post-DCSync: What to Do When You Detect It
DCSync detection is a critical incident: by the time the alert fires, the attacker likely has NTLM hashes for privileged accounts including potentially krbtgt.
Immediate response steps:
-
Identify the source account: Which account triggered the Event 4662? This is the compromised credential.
-
Disable the source account immediately:
Disable-ADAccount -Identity "compromised-account"
Get-ADUser "compromised-account" -Properties * | Select-Object Enabled, LastLogonDate
-
Assess what was extracted: Correlate the DCSync event timestamp with the account's privileges. Was it a domain admin? Could krbtgt have been targeted?
-
If krbtgt may have been extracted: double-rotate krbtgt:
# Rotate krbtgt password TWICE with 10-hour gap between rotations
# This is required because Kerberos tickets are valid for 10 hours by default
# First rotation invalidates current tickets after they expire
# Second rotation invalidates any new tickets issued with the first hash
# First rotation (use Microsoft's New-KrbtgtKeys.ps1 script)
# https://github.com/microsoft/New-KrbtgtKeys.ps1
.\New-KrbtgtKeys.ps1
# Wait 10+ hours
.\New-KrbtgtKeys.ps1
-
Rotate all domain admin passwords: Any account whose hash was potentially extracted should have its password rotated immediately: especially any privileged accounts.
-
Hunt for Golden Tickets: Check for Event ID 4769 with ticket encryption type 0x17 and ticket options that do not match normal patterns: these may indicate Golden Ticket use.
The bottom line
DCSync attacks extract AD password hashes using the directory replication protocol: no DC logon, no obvious footprint. Detection requires Event ID 4662 on domain controllers filtered for the three replication GUIDs (1131f6aa, 1131f6ad, 89e95b76), excluding DC machine accounts and legitimate sync service accounts. Prevention requires auditing who has Replicating Directory Changes All rights monthly. If DCSync is detected, immediately disable the source account, assess whether krbtgt was targeted, and if so: double-rotate krbtgt with a 10-hour gap between rotations.
Frequently asked questions
How do you detect a DCSync attack?
Monitor Windows Security Event ID 4662 on domain controllers for operations containing the replication GUIDs 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 or 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2, where the subject account does not end in '$' (machine account). Non-machine accounts triggering these events are performing DCSync. Audit Directory Service Access must be enabled for Event 4662 to fire.
What permissions does DCSync require?
DCSync requires the 'Replicating Directory Changes All' extended right on the domain NC object (GUID: 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2). By default, only domain controller machine accounts, NT AUTHORITY\SYSTEM, and Domain Admins have this right. If an attacker has compromised a Domain Admin account or has otherwise granted a user account this permission, they can execute DCSync from any machine with network access to a domain controller.
What is the difference between DCSync and a Golden Ticket attack?
DCSync extracts NTLM password hashes from Active Directory by simulating domain controller replication. The attacker uses the extracted hash (particularly the krbtgt account hash) to then forge Kerberos tickets. A Golden Ticket is the forged Kerberos TGT created using the krbtgt hash: it grants persistent access to any resource in the domain for up to the ticket lifetime, even after password resets (unless krbtgt is rotated twice). DCSync is the reconnaissance step; the Golden Ticket is the persistence mechanism. Response to DCSync requires rotating the krbtgt password twice (each rotation takes 10+ hours to propagate) to invalidate all outstanding forged tickets.
How do you remediate after a DCSync attack?
DCSync remediation is one of the most complex Active Directory recovery procedures. Required steps: (1) Rotate the krbtgt account password twice (separated by the replication convergence time, typically 10+ hours each rotation — not back-to-back) to invalidate all Golden Tickets. (2) Reset all Domain Admin and privileged account passwords immediately. (3) Remove any unauthorized 'Replicating Directory Changes' ACL grants added by the attacker. (4) Audit all accounts created or modified during the compromise window. (5) Review domain trusts for any new trusts added. Full domain recovery after confirmed DCSync typically requires rebuilding the domain if the attacker had sufficient time to establish persistent backdoors.
How do I audit which accounts have DCSync rights?
Run this PowerShell to identify accounts with DCSync-capable permissions on the domain NC: Get-ADObject (Get-ADDomain).DistinguishedName -Properties nTSecurityDescriptor | Select -ExpandProperty nTSecurityDescriptor | Select -ExpandProperty Access | Where-Object {$_.ObjectType -eq '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' -or $_.ObjectType -eq '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'} | Select IdentityReference, ActiveDirectoryRights. Any account in this output that is not a domain controller machine account or a built-in system account represents an unauthorized DCSync-capable principal and should be investigated immediately.
What are the indicators in Entra ID that a DCSync attack occurred via a compromised Entra Connect account?
Entra Connect (Azure AD Connect) service accounts have the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All permissions in Active Directory by design, because these permissions are required for hybrid identity synchronization. An attacker who compromises the Entra Connect server or its AD Connector account effectively has DCSync capability. Entra ID-side indicators that Entra Connect credentials were abused: Entra ID sign-in logs showing the Entra Connect service account (typically named 'MSOL_' followed by a random hex string) signing in from an IP address other than the Entra Connect server's IP. This is highly anomalous because the service account should only ever authenticate from the designated sync server. Also monitor: Entra Connect Health portal showing unexpected sync errors or configuration changes, Entra audit logs for bulk password changes that were not initiated through normal SSPR workflows (these could indicate the attacker is forcing password changes after extracting hashes via DCSync), and any synchronization of accounts that do not exist on-premises (attacker creating phantom accounts). If you suspect Entra Connect server compromise: immediately suspend synchronization from the Entra admin center, reset all Entra Connect service account credentials, and rebuild the sync server from a known-good image before resuming synchronization.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
