What is a DCSync attack?

A DCSync attack occurs when an adversary mimics the behavior of a Domain Controller to request account password hashes from another DC using the Directory Replication Service Remote Protocol (MS-DRSR).

Can this skill detect tools like Mimikatz and Impacket?

Yes, it specifically monitors for the DsGetNCChanges RPC calls and replication GUIDs used by common attack tools like Mimikatz, Impacket secretsdump, and DSInternals.

Which Windows Event ID is used for DCSync detection?

Event ID 4662 (Object Access) is the primary event used, as it records when an operation is performed on a directory service object, including replication requests.

What are the prerequisite configurations for this detection?

You must enable Advanced Audit Policy for 'Audit Directory Service Access' and configure a SACL on the domain object to monitor for access to replication rights.

Active Directory DCSync Attack Detection

Name: Active Directory DCSync Attack Detection
Author: mukul975

bymukul975

•

4,121

•

安全与测试

Detects DCSync credential theft attacks in Active Directory by monitoring replication requests from unauthorized accounts and suspicious GUID access.

This skill provides a comprehensive framework for security analysts to detect and respond to DCSync attacks, a technique where adversaries abuse directory replication privileges to extract password hashes. It offers detailed workflows for identifying legitimate replication sources, configuring critical Windows Event ID 4662 auditing, and monitoring specific DS-Replication GUIDs used by tools like Mimikatz and Impacket. By providing ready-to-use Splunk queries, KQL for Microsoft Sentinel, and Sigma rules, this skill enables rapid threat hunting and incident response in Active Directory environments.

主要功能

01Guides workflow for auditing replication permissions and SACLs

02Includes standardized Sigma rules for platform-agnostic threat hunting

03Monitors critical AD replication GUIDs for unauthorized access

04Maps detections to MITRE ATT&CK T1003.006 (OS Credential Dumping)

05Provides pre-built detection queries for Splunk and Microsoft Sentinel

064,121 GitHub stars

使用场景

01Threat hunting for credential theft in Windows environments

02Automating SOC alerts for non-DC accounts requesting replication

03Investigating lateral movement involving domain administrator accounts

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills detecting-dcsync-attack-in-active-directory

For use in Claude.ai and ChatGPT

主要功能

01Guides workflow for auditing replication permissions and SACLs

02Includes standardized Sigma rules for platform-agnostic threat hunting

03Monitors critical AD replication GUIDs for unauthorized access

04Maps detections to MITRE ATT&CK T1003.006 (OS Credential Dumping)

05Provides pre-built detection queries for Splunk and Microsoft Sentinel

064,121 GitHub stars

使用场景

01Threat hunting for credential theft in Windows environments

02Automating SOC alerts for non-DC accounts requesting replication

03Investigating lateral movement involving domain administrator accounts

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills detecting-dcsync-attack-in-active-directory

For use in Claude.ai and ChatGPT