What This Script Detects
DCSync (MITRE ATT&CK T1003.006) exploits AD replication to extract password hashes without touching LSASS or NTDS.dit. Attackers with replication rights can dump all domain credentials remotely.
Detection Indicators
- Event ID 4662 with replication GUIDs (1131f6aa, 1131f6ad, 89e95b76)
- Requests from non-DC systems
- Accounts not in "Enterprise Domain Controllers" group