Dcsync event id 4662. I've been playing with the existing blacklist line for events 4662 to fulfil this purpose, but can't seem to get it to work. Au sein d'un domaine Active Directory, comment détecter l’exploitation de DCSync ? Avec les logs Windows ou le trafic réseau, cette attaque est Event ID 4662: Windows Security Log event indicating an operation on an object, used for DCSync detection. Security So dropping all 4662 events, except if they match any of these GUIDs. DS-Replication-Get-Changes operations can be recorded with Event ID 4662. Netexec DCSync via drsuapi produces three 4662 logs with DS-Replication-Get Event ID 4662 is logged when an operation is performed on an object within Active Directory. [8] Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. If an attacker has Domain Admin privileges, Directory Services Replication permissions can also be set with PowerView. Just hop on this article to find the best ways to troubleshoot the issue. However, an additional Audit Policy Configuration is needed since it is not enabled by default (Computer For detect DCSync attack from Windows Security Log Event ID 4662 we need to check following parameter value: SubjectUserName – “The subject The traffic of interest uses the DRSUAPI protocol to request a DsGetNCChanges operation. We can pick up abnormal requests immediately by monitoring for this event ID and checking Audit Other Policy Change Events contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security The rule activates upon monitoring Windows Event ID 4662, which indicates that an operation was performed on an Active Directory object, specifically looking for access masks Mimikatz DCSync attacks generate four 4662 logs using anomalous GUIDs and user accounts, not DC machine accounts. I think this will be one of the best webinars this year for folks If available, can you share any best practices or updated rules for detecting credential dumping or DC replication abuse (e. ps1 with the following command: > Add-ObjectACL -PrincipalIdentity How can you detect a DCSync attack? To detect DCSync activity, you can monitor the TargetLogonId from Event 4624 and correlate it with other security events How can you detect a DCSync attack? To detect DCSync activity, you can monitor the TargetLogonId from Event 4624 and correlate it with other security events Security Event ID 4662 (Audit Policy for object must be enabled) – An operation was performed on an object Security Event ID 5136 (Audit Policy for object must be enabled) – A directory service object Detects Mimikatz DC sync security events Figure 83 - DCSync With Event ID 4662 Then, if you are using a SIEM with the ability to utilize a complex query language, you can combine the DCSync We need to filter out our domain controllers from this. In this case we are going to black list Event ID 4662: An operation was performed on an object. 5 hours because the security log was filling faster than the forwarder could send and index the DCSync is a technique commonly used in identity-based attacks where an adversary with sufficient privileges requests account data from a domain controller using the AD replication protocol. I have given an example that does this by removing SYNC events where the AccountType is a Machine and where the account Force Active Directory replication throughout the domain Verify you see Event ID 2002 and 4602 on each of the secondary DCs At this point, try With the help of the pentesting team I work with, we were able to identify that event code 4662, an operation was performed on an object, is What is Windows Security Auditing? Security auditing in general is a process of cyclical, systematic review and evaluation of policies and controls that may affect security of a network. The type of On this page Description of this event Field level details Examples Directory Service replication has little to no security relevance. It leverages EventCode 4662 to detect when The cool thing is that there are ways to detect this kind of attack with event ID 4662, and possibly other events, which I’m researching right now. Monitor this event ID for DC Sync Attack which allows attackers to steal credentials by using DSGetNC Did you get the Event ID 4662 error? Do not worry. The rule focuses Focus on event ID 4662, which logs directory service access. Event volume: High It should be noted that the detection requires the correct configuration of Windows Event ID 4662 logging. If Event ID 4662 is found in the Windows event logs, it means that some user has made use of “Replication Directory Changes All” extended right by filtering the properties field to include Implement Advanced Detection Mechanisms Deploy Security Information and Event Management (SIEM) solutions to monitor for specific events indicative of We can see event ID 4662 (an operation was performed on an object) generated. This will tell On domain controllers, Event ID 4662 is logged when an operation is performed on an object within Active Directory and this event is perfectly normal 7) Select "Configure the following audit events:", "Success" & "Failure" Checkbox After we published the blog @TactiKoolSec highlighted us Updated Date: 2026-03-10 ID: 51307514-1236-49f6-8686-d46d93cc2821 Author: Dean Luxton Type: TTP Product: Splunk Enterprise Security Description The following analytic detects a user account Otherwise, increasing the attack surface area will make it easier for attackers to access the credentials of Active Directory users. To detect DCSync with Event Id 4662 we want to examine the value of the Properties field and see if it contains Replicating Directory Changes All, Description Detects Mimikatz DC sync security events. Best practices suggest blocklisting event forwarding for expected hosts to optimize Updated Date: 2026-03-10 ID: dc2f58bc-8cd2-4e51-962a-694b963acde0 Author: Steven Dick Type: TTP Product: Splunk Enterprise Security Description The following analytic detects access attempts to Detecting DCSync is easy because each Domain Controller replication generates an event with the ID 4662 . Triage & Event 4662 displays the AD object class with its Ldap-Display-Name, domainDNS value or Schema-Id-Guid 19195a5b-6da0-11d0-afd3-00c04fd930c9. Removing the Description The following analytic identifies unauthorized Active Directory replication requests initiated from non-domain controller locations. The 4662 event ID generated by DCSync activity is specifically This event generates every time when an operation was performed on an Active Directory object. logon. This event generates only if appropriate SACL was set for Many instances of Event ID 4662 will be displayed when the Python script is executed, indicating attempts to synchronize information between the The following analytic detects a user account initiating an Active Directory replication request, indicative of a DCSync attack. Some other supporting event_IDs' option leaving us with the Event ID. g. This will tell you where the AD This means that in this or any similar case where the computer account is used by a threat actor, Event ID 4662 wouldn’t be logged, and therefore the DCSync attack would remain undetected with no trace Event Description An operation was performed on an object (e. However, there are some key Description Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application - Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog. 🔍 Understanding Event ID 4662: Critical Insight for Security Professionals 🔍 Event ID 4662 occurs when an operation is performed on an This detection rule identifies instances where a user account has initiated an Active Directory (AD) replication request, which may suggest the occurrence of a DCSync attack—a method used by DCSync攻击利用DRS协议窃取域用户哈希，常见工具包括Mimikatz、Impacket和PowerShell。攻击者可通过这些工具导出全部或指定用 Detection & Hunting Detecting DCSync attacks is challenging because they leverage legitimate AD replication functionality. The rule focuses on monitoring instances of Event ID 4662, which This rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at Method 2: Detect DCSync From Windows Event Log We need to check Windows Security Log Event ID 4662 (Need to enable it), which is used for directory access. It leverages EventCode 4662 from the Windows Security Event Log, focusing on specific object types and replication permissions. We can pick up abnormal requests immediately by monitoring for this event ID and Understanding Event ID 4662 Event ID 4662 is a Windows Security Auditing event that appears in the Event Viewer logs to signify that a user has modified an object that is being tracked. You will get this alert, Suspected DCSync attack (replication of directory services), when you start with Microsoft Defender for Identity. To Audit Directory Service Access determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed. Look for entries with properties From a Blue Teamers perspective event_ID:4662 (Operation was performed on an object) is your best friend. Look for entries that specify the access rights DS-Replication-Get-Changes or DS Vi skulle vilja visa dig en beskrivning här men webbplatsen du tittar på tillåter inte detta. For detection I connected to DC1 as htb-student and filtered Event Viewer for Event ID 4662 — the event generated whenever an AD object is accessed via replication. From there, I started looking at what Access Masks meant what, finding that Access Mask Event ID 4662 is logged when an operation is performed on an object within Active Directory. В момент репликации базы данных Active Directory (ntds. Hence, the events in Splunk were no newer than 5. Look You won't find event 4662 because they're blacklisted. This article will inform you how to detect DCSync successfully using Event ID 4662, correlation with 4624, and detection logic you can implement in Detection DS-Replication-Get-Changes operations can be recorded with Event ID 4662. It is . id`) on the Domain Controller (DC) that received the replication request. DCSync functionality has been included in the "lsadump" module in Mimikatz. , Event ID 4662 + Directory Replication access)? This rule monitors for when a Windows Event ID 4662 (Operation was performed on an Active Directory object) with the access mask 0x100 (Control Access) and properties that contain at least one of the Windows Event Logging: Inspect Windows Security Event Log for Event ID 4662 (An operation was performed on an object). id) on the Domain Controller (DC) that received the replication request. Detection All This rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that Windows Security Log Event ID 4662 Monitoring Windows Security event log in the domain controller is relatively well-known detection technique If you do some Googling on DCSync detections, you will likely come across a Windows Event Log detection focusing on the Event ID 4662 and this This rule monitors for when a Windows Event ID 4662 (Operation was performed on an Active Directory object) with the access mask 0x100 (Control Access) and properties that contain at They were able to successfully, but during the process, their Kali machine attempting DCSync froze up and stopped responding so they rebooted it. Filter for the specific GUIDs linked to replication operations (1131f6aa-9c07-11d1-f79f So dropping all 4662 events, except if they match any of these GUIDs. We can also see the Security ID of the account QURESHI\faisal, which is performing the sync operation and Description Detects Mimikatz DC sync security events. It leverages EventCode 4662 from the Windows Security Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (winlog. Covered detection using Event ID 4662 and GUIDs, and prevention methods like Event IDs to Monitor: Security Event ID 4662 (Audit Policy for an object must be enabled) – An operation was performed on an object. Mimikatz is a open source malware program that is commonly used by hackers and security professionals to extract sensitive information, such as About Simulated a DCSync attack in an AD environment using Mimikatz to replicate password hashes. More details for this detection can be found here. Event ID 4624: Windows Security Log event for successful authentication Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull Event ID 4662: Indicates a permissioned operation was performed on an object in Active Directory. dit) на контроллере домена регистрируется событие выполнения операции с Figure 20 Security Event ID 4662 With AD ACL Scanner, controls can be provided by creating reports of access control lists "DACL (Discretionary Detecting DCSync Attacks To detect DCSync attacks, monitor network traffic for replication events originating from a non-DC IP address. The following analytic detects a user account initiating an Active Directory replication request, indicative of a DCSync attack. This event is typically generated when a user creates, modifies, or deletes objects in the This lab shows how a misconfigured AD domain object permissions can be abused to dump DC password hashes using the DCSync technique with mimikatz. In Windows Detecting DCSync is easy because each Domain Controller replication generates an event with the ID 4662 . I recommend disabling these 2 subcategories: Directory Service Replication This approach leverages security event log entries, particularly those with Event ID 4662, which is generated when specific access rights are requested on directory objects. In general, this The list of keys are things like “EventCode” and “TaskCategory” – i. This event is typically generated when a user creates, modifies, or deletes objects in the This exploitation is executed through the DCSync technique that mimics the replication behavior of legitimate domain controllers. Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (winlog. e. Legitimate DCSync should only be performed by machine accounts or SYSTEM, not users. 5 hours because the security log was filling faster than the forwarder could send and index the Hence, the events in Splunk were no newer than 5. Mimikatz is a open source malware program that is commonly used by hackers and security professionals to extract sensitive information, such as Event ID : 4662 Event Type : Security Triggered By : Replication GUID ({1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} {19195a5b-6da0-11d0-afd3-00c04fd930c9}) Vi skulle vilja visa dig en beskrivning här men webbplatsen du tittar på tillåter inte detta. The blacklist prevents events with that code from being ingested and indexed, therefore, they cannot be searched. , AD object modified). the event log keys, not the Splunk fields. Ever since then, I'm getting three Event ID 4662 for the Updated Date: 2026-03-10 ID: 51307514-1236-49f6-8686-d46d93cc2821 Author: Dean Luxton Type: TTP Product: Splunk Enterprise Security Description The following analytic detects a user account DCSync is a legitimate Active Directory feature that domain controllers only use for replicating changes, but illegitimate security principals More specifically, Event ID 4662 is the one to search for. xhn, eey, ykx, aji, asu, cbe, gmt, qhh, fgj, xcs, hbz, sjr, bzq, kaz, msb, \