Suspicious Active Directory Operations

View all detections
Suspicious Active Directory Operations


  • Either a new or non-domain controller host successfully triggered an anomalous Active Directory replication request against a legitimate domain controller. This functionality is normally limited to usage by domain controllers and limited high-privilege service accounts.

Possible Root Causes

Malicious Detection

  • Provided the malicious actor has the required permissions and connectivity to a domain controller, they can leverage the DRS RPC protocol to successfully execute the following attacks:
  • DCSync: A malicious actor mimics a domain controller and targets a legitimate domain controller to invoke a Replication request (GetNCChanges) of the targeted AD Database containing hashed passwords.
  • DCShadow: A malicious actor creates a rogue domain controller by targeting a legitimate domain controller to add itself to a group of hosts permitted to receive these requests (domain controllers). The attacker will then force replication, dumping the Active Directory database and hashed password to the rogue domain controller. The attacker then typically removes itself from the list of hosts permitted to receive the requests.

Benign Detection

  • A new domain controller has been deployed and hasn’t had enough history to be identified as a domain controller.

Business Impact

  • Specific Risk: Successful execution of either attack results in access to both usernames and hashed passwords of the targeted Active Directory infrastructure. An attacker can then perform offline attacks against the hashed passwords to escalate access.
  • Impact: These attacks likely result in a full domain compromise due to malicious actor having access to privileged account hashed passwords which will either be cracked or used to authenticate (NTLM) to other services/hosts.

Steps to Verify

  • Investigate the host involved in the alert, verify if the host is a true domain controller through either an internal CMDB or Active Query of Domain Controller hosts on your environment.
    - Either the addition or removal of a domain controller on an environment is a rare event in comparison to other events within the environment and more specially within the RPC metadata stream.
    - Usage of requests like GetNCChanges, ReplicaAdd, or UpdateRefs are explicit are specific to only domain controllers.
    - If this host is a domain controller you should add it to the Domain Controllers Group, and apply a triage filter to exclude this host from generating a detection.
  • Based on your environments configuration the replication requests should occur on a timely interval (default 15 minutes). In normal usage, you should see subsequent replication events. In malicious cases, these events will typically occur once, as there is no requirement for another replication of the database.
  • Review logs for indications of either privileged accounts with the following:
    - Privileged accounts using old/odd authentication types such as NTLM to new hosts and services.
    - Privileged accounts invoking actions across multiple hosts on network within the RPC metadata stream