In this article:  

• Issue description
  

• Prerequisites
  

• Possible causes
  

• Resolution
  

• How to reach support
  

• Related topics and articles
  

Issue description  

An event related to a DCSync attack is not being detected by ADAudit Plus. The activity is not found under the Active Directory tab > Attack Surface Analyzer > Threat > DCSync section of the console.

This occurs when the product fails to detect the attack's signature. To understand the failure, it's important to know how ADAudit Plus identifies a DCSync attempt. It analyzes the security event logs on domain controllers for a specific combination of indicators:

• Event ID: 4662—an operation was performed on an object.
  

• Access Mask: 0x100—this corresponds to Control Access.
  

• Object Properties Accessed:
  

• {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}: Replicating Directory Changes.
  

• {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}: Replicating Directory Changes All.
  

• {89e95b76-444d-4c62-991a-0facbeda640c}: Replicating Directory Changes In Filtered Set.
  

• Subject Account Name: The account performing the action should not end with $ to exclude legitimate replication by domain controller machine accounts.
  

Prerequisites  

• You must have administrator access to a domain controller.
  

• You need permissions to run Command Prompt in elevated mode on the domain controller.
  

Possible causes  

• The Audit Directory Service Access policy is disabled, which prevents the domain controller from generating the necessary event ID 4662.
  

• The event is being generated on the domain controller, but there is an issue with ADAudit Plus collecting or processing the event data from the respective domain controller.
  

Resolution  

Follow these steps to diagnose and resolve the issue.

Step 1: Check for event ID 4662 on the domain controller  

The first step is to determine if the domain controller is generating the raw event that ADAudit Plus needs for detection.

1. Log in to the domain controller that was targeted by the DCSync attempt.
   

2. Open Event Viewer.
   

3. Navigate to Windows Logs > Security.
   

4. From the Actions pane, select Filter Current Log.
   

5. In the filter window, enter 4662 into the event ID field and click OK.
   

6. Review the filtered events. Examine the details of any found events to see if they match the DCSync signature outlined in the Issue description section (e.g., the correct Access Mask, Object Properties, and a non-machine account name).
   

Step 2: Analyze the findings  

Based on the results from step one, proceed with one of the following scenarios:

Scenario A: Event 4662 is present and matches the DCSync signature

If you can find event ID 4662 with the correct details in the domain controller's security log, but it does not appear in ADAudit Plus, this indicates an issue with event collection or processing. In this case, please proceed to the How to reach support section for further assistance.

Scenario B: Event 4662 is not present

If you cannot find event ID 4662 after the DCSync attempt, it confirms that the required audit policy is not enabled. Proceed to the next step to enable it.

Step 3: Verify and enable the required audit policy  

1. On the domain controller, open Command Prompt in elevated mode.
   

2. Execute the command auditpol /get /category:* and check the DS Access subcategory to confirm that Audit Directory Service Access is not enabled for Success.
   

3. To enable the policy, open the Group Policy Management Console and edit the Default domain controller policy GPO.
   

4. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access.
   

5. Double-click the Audit Directory Service Access policy, check the Define these policy settings box, and then check the Success box.
   

6. Click Apply and OK.
   

7. Force an immediate policy update by running the command gpupdate /force in an elevated Command Prompt.
   

Step 4: Validate the fix  

1. After the policy has been applied, perform the DCSync action again.
   

2. Verify that the attack is now logged as expected in the ADAudit Plus console.
   

How to reach support  

If the issue persists after following all the steps, or if you found a matching event 4662 in step one, please contact our support team for further assistance. Providing screenshots of your findings will help expedite the resolution.

Related topics and articles  

• Attack Surface Analyzer