884 hardening checks across 21 platforms. Pick your stack, get real commands, check them off, export the report.
Configure SACL and SIEM rules to detect DCSync attacks. DCSync uses the Directory Replication Service (DRS) protocol to extract password hashes from DCs. Only Domain Controllers and specific replication accounts should have replication rights.
MITRE ATT&CK T1003.006; Microsoft AD Security Best Practices
# Find accounts with DCSync rights (Replicating Directory Changes)
Import-Module ActiveDirectory
$domainDN = (Get-ADDomain).DistinguishedName
(Get-ACL "AD:$domainDN").Access |
Where-Object { $_.ObjectType -eq "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" } |
Select IdentityReference, ActiveDirectoryRights | Format-TableDCSync (Mimikatz lsadump::dcsync or Impacket secretsdump.py) allows any account with Replicating Directory Changes All permissions to extract all password hashes from the domain, including the krbtgt hash needed for Golden Ticket attacks. It's often the final step in domain compromise and requires no code execution on the DC itself.
1. Audit: Identify all accounts with replication rights (should only be DCs)
2. Remove replication rights from any non-DC accounts
3. Configure SACL on domain root for replication GUID auditing
4. Forward Event ID 4662 with replication GUIDs to SIEM
5. Create alerting rule for DCSync detection# List accounts with replication rights
$domainDN = (Get-ADDomain).DistinguishedName
$repGUIDs = @("1131f6ad-9c07-11d1-f79f-00c04fc2dcd2",
"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2")
(Get-ACL "AD:$domainDN").Access |
Where-Object { $repGUIDs -contains $_.ObjectType.ToString() } |
Select IdentityReference | Sort -Unique
# Should only show Domain Controllers and replication accounts# DCSync detection โ Event 4662 with replication GUIDs from non-DC
index=windows EventCode=4662
Properties IN ("1131f6ad-*","1131f6aa-*")
| where SubjectUserName NOT LIKE "%DC%$"
| stats count by SubjectUserName, SubjectDomainName, ClientAddress
| sort -countAzure AD Connect service accounts legitimately need replication rights for password hash sync. Allowlist these in your SIEM detection rule.