Troubleshooting DCSync attacks not being detected by ADAudit Plus
In this article:
Issue description
Prerequisites
Possible causes
Resolution
How to reach support
Related topics and articles
Issue description
An event related to a DCSync attack is not being detected by ADAudit Plus. The activity is not found under the Active Directory tab > Attack Surface Analyzer > Threat > DCSync section of the console.
This occurs when the product fails to detect the attack's signature. To understand the failure, it's important to know how ADAudit Plus identifies a DCSync attempt. It analyzes the security event logs on domain controllers for a specific combination of indicators:
Event ID: 4662—an operation was performed on an object.
Access Mask: 0x100—this corresponds to Control Access.
Object Properties Accessed:
{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}: Replicating Directory Changes.
{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}: Replicating Directory Changes All.
{89e95b76-444d-4c62-991a-0facbeda640c}: Replicating Directory Changes In Filtered Set.
Subject Account Name: The account performing the action should not end with $ to exclude legitimate replication by domain controller machine accounts.
Prerequisites
You must have administrator access to a domain controller.
You need permissions to run Command Prompt in elevated mode on the domain controller.
Possible causes
The Audit Directory Service Access policy is disabled, which prevents the domain controller from generating the necessary event ID 4662.
The event is being generated on the domain controller, but there is an issue with ADAudit Plus collecting or processing the event data from the respective domain controller.
Resolution
Follow these steps to diagnose and resolve the issue.
Step 1: Check for event ID 4662 on the domain controller
The first step is to determine if the domain controller is generating the raw event that ADAudit Plus needs for detection.
Log in to the domain controller that was targeted by the DCSync attempt.
Open Event Viewer.
Navigate to Windows Logs > Security.
From the Actions pane, select Filter Current Log.
In the filter window, enter 4662 into the event ID field and click OK.
Review the filtered events. Examine the details of any found events to see if they match the DCSync signature outlined in the Issue description section (e.g., the correct Access Mask, Object Properties, and a non-machine account name).
Step 2: Analyze the findings
Based on the results from step one, proceed with one of the following scenarios:
Scenario A: Event 4662 is present and matches the DCSync signature
If you can find event ID 4662 with the correct details in the domain controller's security log, but it does not appear in ADAudit Plus, this indicates an issue with event collection or processing. In this case, please proceed to the How to reach support section for further assistance.
Scenario B: Event 4662 is not present
If you cannot find event ID 4662 after the DCSync attempt, it confirms that the required audit policy is not enabled. Proceed to the next step to enable it.
Step 3: Verify and enable the required audit policy
On the domain controller, open Command Prompt in elevated mode.
Execute the command auditpol /get /category:* and check the DS Access subcategory to confirm that Audit Directory Service Access is not enabled for Success.
To enable the policy, open the Group Policy Management Console and edit the Default domain controller policy GPO.
Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access.
Double-click the Audit Directory Service Access policy, check the Define these policy settings box, and then check the Success box.
Click Apply and OK.
Force an immediate policy update by running the command gpupdate /force in an elevated Command Prompt.
Step 4: Validate the fix
After the policy has been applied, perform the DCSync action again.
Verify that the attack is now logged as expected in the ADAudit Plus console.
How to reach support
If the issue persists after following all the steps, or if you found a matching event 4662 in step one, please contact our support team for further assistance. Providing screenshots of your findings will help expedite the resolution.
Related topics and articles
New to ADSelfService Plus?
Related Articles
How to detect and respond to a DCSync attack using ADAudit Plus
In this article: Objective Prerequisites Steps to follow Validation and confirmation Tips Related topics and articles Objective This article explains how to use ADAudit Plus to detect a DCSync attack, understand the immediate remediation steps ...Troubleshooting agent installation errors in ADAudit Plus
In this article: Issue description Prerequisites Possible causes Resolution Related topics and articles How to reach support Issue description While deploying the ADAudit Plus agent either automatically or manually you may encounter errors that ...Troubleshooting 2FA in ADAudit Plus
In this article : Issue description Prerequisites Possible causes Resolution Related topics and articles How to reach support Issue description ● What is the issue? Two-factor authentication (2FA) in ADAudit Plus adds an extra layer of security by ...Troubleshooting ADAudit Plus performance issues due to high CPU usage
In this article: Issue description Prerequisites Possible causes Resolution How to reach support Related topics and articles Issue description The java.exe process associated with ADAudit Plus consistently consumes 100% of the CPU resources on the ...Installing the ADAudit Plus agent via UI
In this article: Objective Prerequisites Steps to follow Validation and confirmation Tips Related topics and articles Objective ADAudit Plus requires an agent installed on target machines to collect logs and monitor activity efficiently. This guide ...