Qilin Ransomware Intrusion Uses DCSync to Target Active Directory Credentials


A recent Qilin ransomware intrusion involved DCSync activity designed to extract sensitive credentials from Active Directory. The attacker used the domain’s built-in Administrator account to make replication requests normally associated with domain controllers and approved synchronization services.

DCSync can expose password hashes for high-value accounts, including the KRBTGT account used by the Kerberos authentication service. Attackers can use the stolen material to expand their access, move across the network, and establish persistence before deploying ransomware.

Security researcher Maurice Fielenbach identified the activity while reviewing Windows Security logs from the affected environment. In his Qilin intrusion analysis, he described a sudden change from routine Microsoft Entra Connect replication to hundreds of requests from an unexpected administrator account.

Windows logs exposed the abnormal replication activity

The environment used a Microsoft Entra Connect account with a name beginning with MSOL_. Its legitimate directory replication activity followed a predictable two-minute schedule, with requests recorded at 01:19, 01:21, and 01:23.

At 01:25, several hundred Event ID 4662 records appeared under the built-in Administrator account. Microsoft explains that Event ID 4662 records operations performed on Active Directory objects when administrators have configured the appropriate auditing and system access control lists.

The event volume helped expose the change, but the account behind the requests provided the stronger warning. Domain controllers and approved synchronization accounts may generate legitimate replication events. A general administrator account normally should not produce a large series of them.

Observed detailMeaning
Event ID 4662An operation was performed on an audited Active Directory object
ObjectServer: DSThe request involved the Directory Service
AccessMask: 0x100The operation requested a control access right
GUID 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2DS-Replication-Get-Changes
GUID 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2DS-Replication-Get-Changes-All
Unexpected subject accountA non-DC, non-approved identity initiated the requests

How the DCSync technique works

DCSync abuses the Directory Replication Service Remote Protocol used by domain controllers to replicate directory information. Instead of copying the Active Directory database file from a controller, an attacker submits replication requests through the normal protocol.

The MITRE ATT&CK DCSync entry classifies the technique as OS Credential Dumping, identified as T1003.006. MITRE notes that attackers can retrieve current and historical password hashes for valuable accounts, including administrators and KRBTGT.

The activity requires an account with suitable replication permissions. Domain Admins, Enterprise Admins, certain built-in administrators, domain controller computer accounts, and specially delegated identities may hold the necessary rights. DCSync does not provide those permissions to an ordinary user automatically.

  • DS-Replication-Get-Changes allows an account to request replicated directory changes.
  • DS-Replication-Get-Changes-All extends access to secret domain data, including credential material.
  • DS-Replication-Get-Changes-In-Filtered-Set may also matter in environments using filtered attribute sets.

Microsoft’s protocol documentation confirms that the DS-Replication-Get-Changes-All right uses the GUID 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2. That identifier in an audited control-access event helps defenders recognize requests involving sensitive replication rights.

Why the Administrator account raised suspicion

A 4662 event containing a replication GUID does not prove malicious activity on its own. Domain controllers replicate data as part of normal operations, while identity synchronization products may need similar permissions.

Microsoft documents the accounts and permissions used by Microsoft Entra Connect. These connector accounts can explain regular replication events, particularly when organizations use features such as password hash synchronization.

Qilin Ransomware Active Directory DCSync1

Fielenbach’s findings stood out because the requesting identity and timing no longer matched the established baseline. His incident findings attributed the later burst to the built-in Administrator account rather than the expected MSOL_ synchronization identity.

Event volume offered useful supporting evidence, but organizations should not create detections based only on a fixed event threshold. The number of records can vary with the requested data, auditing policy, domain configuration, and tool used.

How defenders can detect DCSync activity

Security teams should identify every account authorized to perform directory replication and compare observed requests against that allowlist. Any request from an unexpected user, service account, or workstation requires immediate investigation.

Microsoft states that 4662 logging depends on the Audit Directory Service Access policy and appropriate SACLs. Enabling the audit policy alone may not produce all the records needed for a useful detection.

MITRE’s DCSync detection guidance recommends monitoring replication requests from non-domain-controller systems and correlating Active Directory object-access events with network activity involving the DRSUAPI interface.

  • Collect Event ID 4662 from every writable domain controller.
  • Look for AccessMask 0x100 and directory replication GUIDs in the Properties field.
  • Exclude only verified domain controller and synchronization accounts.
  • Alert when replication requests originate from unexpected systems or identities.
  • Investigate newly delegated replication permissions and unexplained group membership changes.

Organizations should review replication permissions

Administrators should regularly audit who holds Replicating Directory Changes and Replicating Directory Changes All permissions. They should remove obsolete delegations, protect synchronization accounts, and monitor changes to access control entries at the domain root.

Entra Connect permissions should reflect the synchronization features an organization actually uses. Microsoft’s account permissions reference can help teams distinguish required access from permissions that no longer serve an operational purpose.

Responders who confirm unauthorized DCSync activity should assume that sensitive domain credentials may have been exposed. The response may require password resets for privileged and service accounts, endpoint containment, investigation of persistence mechanisms, and a controlled KRBTGT password reset performed twice with adequate replication time between changes.

DCSync Attack Detailed

Teams should also verify the exact rights involved. Microsoft identifies DS-Replication-Get-Changes-All as a distinct control access right, making its GUID a valuable indicator when reviewing 4662 records.

The incident shows why Active Directory replication monitoring should form part of baseline ransomware defenses. Detecting an unexpected identity making replication requests can expose credential theft before attackers complete encryption and extortion operations.

FAQ

What is a DCSync attack?

A DCSync attack abuses Active Directory replication permissions to request credential data from a domain controller. It can expose password hashes for users, administrators, service accounts, and the KRBTGT account.

Is DCSync a privilege-escalation technique?

Not by itself. An attacker must first control an account with suitable directory replication rights. DCSync then allows the attacker to extract credentials that may support further privilege escalation, lateral movement, or persistence.

Which Windows event can reveal DCSync activity?

Event ID 4662 can record Active Directory replication operations when Directory Service Access auditing and the appropriate SACLs are enabled. Defenders should examine the requesting account, replication GUIDs, source system, and normal environment baseline.

Does every Event ID 4662 indicate an attack?

No. Domain controllers and approved synchronization services can generate legitimate 4662 events. Requests become suspicious when they come from an unexpected identity or system, especially when they include replication access rights.

What should an organization do after detecting DCSync?

The organization should contain the compromised systems and accounts, investigate the intrusion path, review replication permissions, reset exposed credentials, and plan a controlled double reset of the KRBTGT password if domain compromise is confirmed.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages