In this article:  

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

 Objective   

This article explains how to use ADAudit Plus to detect a DCSync attack, understand the immediate remediation steps required, and implement long-term prevention strategies.

 Prerequisites   

• You must have administrator access to the ADAudit Plus web console.

• The required audit policies to generate Event ID 4662 (An operation was performed on an object) must be enabled on your domain controllers.

 Steps to follow   

The process for handling a DCSync attack involves three main stages: detection, immediate remediation, and long-term prevention.

 Step 1: Detecting the attack   

1. Navigate to the Active Directory tab > Attack Surface Analyzer > Threats > DC Sync.

2. Review this report for any detected events related to a possible DCSync attack.

 Step 2: Understanding the detection criteria   

ADAudit Plus detects a potential DCSync attack by identifying a specific combination of factors in the event logs:

• Event code equals 4662.

• Access Mask equals 0x100.

• Properties contains one of the following Directory Replication Service GUIDs:

• {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}

• {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}

• {89e95b76-444d-4c62-991a-0facbeda640c}

• The Subject Account Name does not end with $.

 Step 3: Immediate remediation   

If an active attack is detected, your Active Directory's trust is likely compromised. Act immediately.

1. Contain the source: Identify the Subject Account Name and source workstation from the event. Isolate that machine from the network immediately.

2. Disable the compromised account: Disable the user account that performed the action. Do not delete it, as it is needed for the investigation.

3. Reset the krbtgt account password (Twice): This is the most critical step to invalidate any Kerberos Golden Tickets an attacker may have created. The password must be reset twice, with a waiting period between resets that is longer than your domain's maximum ticket age.

4. Reset all privileged account passwords: Reset the passwords for all members of groups like Domain Admins, Enterprise Admins, Schema Admins, and any service accounts with high privileges.

5. Investigate and hunt:

• Audit permissions: Determine how the attacker's account gained the necessary Replicating Directory Changes rights.

• Hunt for persistence: Look for other signs of compromise, such as the creation of new user accounts, scheduled tasks, or services created by the attacker.

 Validation and confirmation   

• After remediation, the DCSync report in ADAudit Plus should no longer show new, active threats from the contained source.

• Continued monitoring should confirm that privileged accounts are secure and replication rights are correctly configured according to your policies.

 Tips   

The following best practices can help prevent DCSync attacks.

 Principle of Least Privilege (PoLP)   

• Audit replication rights: Regularly audit which accounts have the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All permissions on your domain's root. By default, only Domain Controllers, Enterprise Admins, and Administrators should have these rights.

• Remove unnecessary permissions: If any non-default accounts have these permissions, investigate and remove them if they are not essential.

 Secure privileged accounts and Domain Controllers   

• Tiered access model: Implement an administrative tier model where your most critical assets (Tier 0), like Domain Controllers (DCs), can only be managed by specific Tier 0 administrator accounts.

• Harden DCs: Restrict network traffic to your DCs, keep them fully patched, and prevent privileged accounts from logging on to regular servers and workstations.

 Monitoring and detection   

• Monitor for ACL changes: Create alerts for any modifications to the Access Control List (ACL) of the domain object.

• Monitor for abnormal replication traffic: Legitimate replication occurs between Domain Controllers. Monitor for any replication requests originating from non-DC IP addresses.

 Related topics and articles