Skip to content

DET0594 Detection of Unauthorized DCSync Operations via Replication API Abuse

Item Value
ID DET0594
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1003.006 (DCSync)

Analytics

Windows

AN1632

Detects unauthorized invocation of replication operations (DCSync) via Directory Replication Service (DRS), often executed by threat actors using Mimikatz or similar tools from non-DC endpoints.

Log Sources
Data Component Name Channel
Active Directory Object Access (DC0071) WinEventLog:Security EventCode=4662
Active Directory Object Deletion (DC0068) WinEventLog:Security EventCode=4929
Network Traffic Content (DC0085) NSM:Content Traffic on RPC DRSUAPI
Mutable Elements
Field Description
TimeWindow Defines the correlation window for unusual account access followed by DRSUAPI traffic.
UserContext Allows tuning for specific accounts known to legitimately request replication.
SourceIP Expected replication should only come from known DCs; this field allows excluding trusted DCs.