RULE 03 AD DC Sync Non DC Replication
Query
// =========================================================
// RULE-03 | AD-DCSync-NonDC-Replication
// Description : DCSync detection — Event 4662 showing
// DS-Replication-Get-Changes-All (or -Get-Changes)
// access rights exercised by a source that is NOT
// a known Domain Controller computer account.
// Covers Mimikatz lsadump::dcsync, secretsdump,
// and impacket GetUserSPNs with -just-dc flag.
// Severity : Critical (any non-DC DCSync)
// Frequency : Every 15 minutes, look-back 15 minutes
// MITRE : T1003.006 — DCSync
// Tables : SecurityEvent
// NOT duplicated: Sentinel built-in "Rare DCSync Activity" fires
// on volume; this rule fires on ANY non-DC source
// using exact DS-Replication GUIDs.
// =========================================================
let LookBack = 15m;
// DS-Replication-Get-Changes-All GUID
let ReplicationAllGUID = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2";
// DS-Replication-Get-Changes GUID
let ReplicationGUID = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2";
// Build dynamic DC list from this workspace (KDC-issuing machines)
let KnownDCNames = SecurityEvent
| where TimeGenerated > ago(3d)
| where EventID == 4768
| summarize by DCName = toupper(Computer)
| project DCName;
let KnownDCAccounts = SecurityEvent
| where TimeGenerated > ago(3d)
| where EventID == 4768
| where TargetUserName endswith "$"
| summarize by MachineAcct = toupper(TargetUserName);
SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID == 4662 // Operation performed on AD object
| where ObjectType has "domainDNS"
| where AccessMask == "0x100" // Control Access
| where Properties has ReplicationAllGUID
or Properties has ReplicationGUID
// Exclude actual Domain Controllers
| where not(toupper(SubjectUserName) endswith "$"
and toupper(SubjectUserName) in~ (KnownDCAccounts))
| where not(toupper(Computer) in~ (KnownDCNames))
| extend
ActorAccount = strcat(SubjectDomainName, "\\", SubjectUserName),
IsServiceAccount = SubjectUserName endswith "$",
ReplicationRight = case(
Properties has ReplicationAllGUID, "DS-Replication-Get-Changes-All (Full DCSync)",
Properties has ReplicationGUID, "DS-Replication-Get-Changes (Partial)",
"Unknown Replication Right"
)
| summarize
DCsyncCount = count(),
TargetObjects = make_set(ObjectName, 10),
ReplicationRights = make_set(ReplicationRight),
EarliestEvent = min(TimeGenerated),
LatestEvent = max(TimeGenerated)
by ActorAccount, SubjectUserName, SubjectDomainName, Computer, IsServiceAccount
| extend
Severity = "Critical",
WhySuspicious = strcat(
"DCSync_From_NonDC; ",
iff(IsServiceAccount, "ServiceAccount_Source; ", "UserAccount_Source; "),
ReplicationRights
)
| project
TimeGenerated = LatestEvent,
Severity,
WhySuspicious,
ActorAccount,
Computer,
DCsyncCount,
ReplicationRights,
TargetObjects,
EarliestEvent,
LatestEvent
| order by DCsyncCount descExplanation
This query is designed to detect suspicious DCSync activities in an Active Directory environment. Here's a simplified explanation of what it does:
-
Purpose: The query identifies instances where a non-Domain Controller (non-DC) account attempts to perform DCSync operations, which are typically used to replicate directory data. This is a critical security concern because it can indicate unauthorized access or data exfiltration attempts.
-
Key Components:
- Lookback Period: The query examines events from the last 15 minutes.
- Replication GUIDs: It looks for specific GUIDs associated with DCSync operations, namely "DS-Replication-Get-Changes-All" and "DS-Replication-Get-Changes".
- Known Domain Controllers: It dynamically builds a list of known Domain Controller names and accounts from recent events to exclude legitimate DC activities.
-
Detection Logic:
- The query searches for Event ID 4662, which indicates operations performed on Active Directory objects.
- It filters for events involving the "domainDNS" object type and a specific access mask indicating control access.
- It excludes events initiated by known Domain Controllers.
- It identifies the actor account performing the operation and checks if it's a service account.
-
Output:
- The query summarizes the findings by counting the number of suspicious DCSync attempts, listing the target objects, and noting the replication rights used.
- It provides details such as the actor account, computer name, and timestamps of the earliest and latest events.
- The results are marked with a "Critical" severity level and include a "WhySuspicious" field explaining the reason for suspicion.
-
Ordering: The results are ordered by the number of DCSync attempts in descending order, highlighting the most frequent offenders.
Overall, this query is a security measure to detect and alert on potential unauthorized replication activities in an Active Directory environment, which could indicate a security breach.
Details

David Alonso
Released: March 24, 2026
Tables
Keywords
Operators
MITRE Techniques