Stats
Actions
Tags
Detects DCSync attacks by analyzing Windows event ID 4662 for unauthorized DS-Replication-Get-Changes requests from non-domain controller accounts. For Active Directory threat hunting.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:hunting-for-dcsync-attacksThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- 狩猎 DCSync 凭据窃取行为(MITRE ATT&CK T1003.006)时
| 概念 | 描述 |
|---|---|
| DCSync | 滥用 AD 复制协议提取密码哈希的技术 |
| 事件 ID 4662 | 目录服务访问审计事件 |
| DS-Replication-Get-Changes | GUID 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 |
| DS-Replication-Get-Changes-All | GUID 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 |
| AccessMask 0x100 | 控制访问权限,表示扩展权限验证 |
| T1003.006 | OS 凭据转储:DCSync |
| 工具 | 用途 |
|---|---|
| Windows 事件查看器 | 直接分析事件日志 |
| Splunk | 事件 4662 的 SIEM 关联分析 |
| Elastic Security | DCSync 模式检测规则 |
| Mimikatz lsadump::dcsync | 执行 DCSync 的攻击工具 |
| Impacket secretsdump.py | 基于 Python 的 DCSync 实现 |
| BloodHound | 识别具有复制权限的账户 |
狩猎 ID:TH-DCSYNC-[日期]-[序号]
技术:T1003.006
域控制器:[DC 主机名]
主体账户:[执行复制的账户]
源 IP:[非 DC IP 地址]
访问的 GUID:[复制 GUID]
风险等级:[严重/高/中/低]
建议操作:[禁用账户、重置 krbtgt、展开调查]
npx claudepluginhub killvxk/cybersecurity-skills-zhDetects DCSync attacks by analyzing Windows Event ID 4662 for unauthorized DS-Replication-Get-Changes requests from non-domain-controller accounts. For threat hunting in Active Directory.
Detects DCSync attacks in Active Directory by monitoring non-domain controller accounts requesting directory replication via DsGetNCChanges and Event ID 4662. Useful for threat hunting credential theft with Mimikatz or Impacket.
Detect DCSync attacks by analyzing Windows Event ID 4662 for unauthorized DS-Replication-Get-Changes requests from non-domain-controller accounts.