New Qilin Ransomware Attack Uses DCSync Technique to Abuse AD Replication Protocol

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A recent Qilin ransomware intrusion has revealed a stealthy privilege escalation technique that abuses Active Directory’s built-in replication protocols to harvest domain credentials, including the coveted KRBTGT hash and NTLM password hashes for every account in the domain.

Security researcher Maurice Fielenbach, investigating the intrusion, identified the abuse through anomalies in Windows Security logs. The environment’s legitimate Microsoft Entra Connect synchronization account (an MSOL_* account) generated predictable directory replication activity every two minutes; timestamps at 01:19, 01:21, and 01:23 confirmed the pattern.

At 01:25, the baseline shifted. Several hundred Event ID 4662 entries appeared, this time logged under the built-in Administrator account, a subject that has no legitimate business performing bulk replication requests.

Qilin Ransomware Attack DCSync incident (Source: Maurice Fielenbach)

Event ID 4662 logs operations against AD objects when directory service access auditing is enabled. In this case, the malicious entries shared a distinct fingerprint:

  • ObjectServer: DS (Directory Service)
  • AccessMask: 0x100 (Control Access)
  • Properties containing GUID 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes)
  • Properties containing GUID 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes-All)

The second GUID is the critical one. DS-Replication-Get-Changes-All grants access to secret domain data, including password hashes, effectively the same rights a domain controller uses during normal replication.

This combination is the signature of DCSync, a technique popularized by tools like Mimikatz that impersonates a domain controller to request password data via the Directory Replication Service Remote Protocol (MS-DRSR), without ever touching disk on a DC.

DCSync Attack Detailed (Source: Cybersecuritynews)

A single 4662 event bearing these GUIDs isn’t inherently malicious. Domain controllers replicate constantly, and legitimate sync tools like Entra Connect rely on the same rights. What changed here wasn’t just volume; it was identity, Maurice Fielenbach posted.

The burst of activity came from an account (built-in Administrator) that sits outside the small, well-defined list of principals that should ever invoke replication rights.

Analysts caution that raw event counts vary by request scope and audit configuration, so responders should treat volume as supporting context rather than a standalone detection trigger.

Tip to Defenders

Defenders can build reliable detection around identity rather than count:

  • Event ID 4662 with AccessMask 0x1000x1000x100
  • Properties field containing either replication GUID
  • Subject account is not a domain controller computer account
  • Subject account is not an approved sync account (e.g., MSOL_*)

Any identity outside that allowlist performing replication requests warrants immediate investigation.

Organizations should audit and tightly restrict which accounts hold Replicating Directory Changes and Replicating Directory Changes All permissions, enable Directory Service Access auditing on domain controllers, and feed 4662 events into SIEM correlation rules that flag non-DC, non-sync identities.

Given Qilin’s continued evolution toward credential-theft-driven lateral movement, DCSync detection should be considered a baseline control, not an advanced one.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.