DCSync: Privileges, Enumeration, Detection & Hardening

Posted on Sep 1, 2025

What DCSync Really Does

DCSync abuses the MS-DRSR RPC protocol (Directory Replication Service Remote Protocol). Any principal with certain Extended Rights over the domain naming context can call IDL_DRSGetNCChanges and replicate AD data — including password hashes.

The critical rights are:

  • DS-Replication-Get-Changes1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
  • DS-Replication-Get-Changes-All1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
  • DS-Replication-Get-Changes-In-Filtered-Set89e95b76-444d-4c62-991a-0facbeda640c

Where These Privileges Exist

They are set on the domain root object (DC=RED,DC=CORP).

By default, holders include:

  • Domain Controllers (DC$ accounts)
  • Administrators / Domain Admins / Enterprise Admins
  • Directory sync service accounts (e.g., Azure AD Connect)
  • Any extra delegation here = critical exposure.

Enumeration with PowerShell

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

$RightMap = @{
  '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' = 'DS-Replication-Get-Changes'
  '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' = 'DS-Replication-Get-Changes-All'
  '89e95b76-444d-4c62-991a-0facbeda640c' = 'DS-Replication-Get-Changes-In-Filtered-Set'
}

$domainDN = (Get-ADDomain).DistinguishedName
(Get-Acl "AD:\$domainDN").Access |
  Where-Object {
    $g = ([string]$_.ObjectType).ToLower()
    $RightMap.ContainsKey($g)
  } |
  Select-Object @{n='ExtendedRight';e={$RightMap[([string]$_.ObjectType).ToLower()]}},
                IdentityReference,
                AccessControlType,
                IsInherited,
                InheritanceType,
                ObjectType |
  Sort-Object ExtendedRight, IdentityReference |
  Format-Table -AutoSize

Detection & Telemetry

Key Windows Events (on DCs):

  • 4662 – object operation with replication GUIDs
  • 5136 – ACL modifications on domain root (nTSecurityDescriptor)
  • 4719 / 4907 – audit/SACL changes (visibility tampering)

Enable auditing:

1
2

auditpol /set /subcategory:"Directory Service Access"  /success:enable /failure:enable
auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable

Network indicators: RPC/135 + dynamic RPC ports → drsuapi interface from non-DC hosts.

Hardening & Remediation

  • Apply least privilege: only DCs, Tier 0 admins, and legitimate sync accounts.
  • Remove legacy delegations; prefer gMSA for services.
  • Baseline ACLs and diff regularly.
  • Enforce JIT access + PAW.
  • SIEM alerts:
    • Event 4662 with replication GUIDs → non-DC subject.
    • Event 5136 → changes to domain root ACL.