Back to Blog
ITDRFebruary 20268 min read

Detecting DCSync Attacks with DKTrace ITDR

How DKTrace correlates Windows Event ID 4662 with LDAP query patterns to detect DCSync in under 2 seconds — with zero Sigma rule tuning required.

T1003.006
DK

DKTrace Research Team

Security Engineering · Threat Research

What Is DCSync?

DCSync is a credential-theft technique where an attacker mimics an Active Directory domain controller to request password hashes for any user — including Domain Admins — via the MS-DRSR protocol. Tools: Mimikatz, Impacket secretsdump.

How DKTrace Detects It

DKTrace's ITDR module monitors Windows Security Event 4662 (An operation was performed on an object). When the Access Mask includes Control Access Rights and the Properties field contains:

1131f6aa — DS-Replication-Get-Changes
1131f6ad — DS-Replication-Get-Changes-All

Sigma rule T1003.006 fires immediately.

The correlation engine then:

1Checks whether the source account is a legitimate DC computer account
2Queries the asset-manager for the source host's role
3If the source is NOT a registered DC → immediate P1 escalation
4The UEBA engine cross-checks whether this account has performed replication before (30-day baseline)

Detection Timeline (Production Measurements)

EventTimestamp
Event ingested by agent-receiverT+0ms
Normalised to DCEM canonical modelT+12ms
Enriched with asset contextT+28ms
Sigma rule T1003.006 firedT+41ms
UEBA baseline checkedT+89ms
Correlation links to Kerberoasting 3h priorT+156ms
P1 incident created with MITRE mappingT+203ms
SOC analyst notified via PagerDutyT+1.8s

Automated Playbook Response

DKTrace auto-triggers playbook ITDR-DCSync-001:

AUTO tier (immediate, no approval):

Capture lsass memory dump on source host
Preserve network state snapshot

MANAGER tier (SOC manager approval):

Block source host at switch level via 802.1X port disable

CISO tier (CISO approval):

Disable source user account in Active Directory
Initiate formal IR declaration

What to Do If You See This Alert

1Confirm the source host is not a legitimate DC (check DKTrace asset inventory)
2Check what other alerts fired on this host in the past 24 hours
3Look for Kerberoasting (T1558.003) or Pass-the-Hash (T1550.002) in the same session
4Rotate KRBTGT password twice (invalidates all existing Kerberos tickets)
5Force password reset for any account whose hash was likely obtained

See It Live

Watch DKTrace detect this threat in your environment

Our engineers will run a live detection simulation against a sample of your log telemetry — no agents, no commitment.

Request a Live Demo

Previous

Inside the DKTrace Detection Engine: How We Catch APTs in Under 2 Seconds

Next

Golden Ticket Detection — Why KRBTGT Hash Rotation Alone Is Not Enough

Related Articles

ITDR

Golden Ticket Detection — Why KRBTGT Hash Rotation Alone Is Not Enough

11 min read