ADVERTISEMENT / SPONSORED RESERVATION (728x90)
#4662
CriticalSuccess / Failure AuditDirectory Service Access
An operation was performed on an object
// EVENT DEFINITION:
Access or replication operation performed against an Active Directory directory object (`DS-Replication-Get-Changes`).
// DETAILED TELEMETRY & CONTEXT:
Event ID 4662 is logged on Domain Controllers when an account accesses or modifies Active Directory objects with specific control access rights. Specifically, when an account requests the rights `DS-Replication-Get-Changes` (`1131f6aa-9c07-11d1-f79f-00c04fc2dcd2`) and `DS-Replication-Get-Changes-All` (`1131f6ad-9c07-11d1-f79f-00c04fc2dcd2`), it indicates **DCSync** activity—an adversary using replication protocols to dump all domain password hashes directly without touching disk or NTDS.dit.
Failure Reason / Root Cause Analysis
Normal domain controller replication between authorized DCs, or **DCSync** attack executed by a compromised user/computer identity (`mimikatz lsadump::dcsync`).
Operational Metadata & Applicability
MITRE ATT&CK Framework Alignment
T1003.006
OS Credential Dumping: DCSyncTactic: Credential Access
Mitigation Playbook & Recommended SOC Actions
- •Alert immediately on any Event ID 4662 where `Properties` contains `1131f6ad-9c07-11d1-f79f-00c04fc2dcd2` AND the `SubjectUserName` is NOT an authorized Domain Controller computer account (`$?`).
- •Regularly audit accounts granted `Replicating Directory Changes` permissions in Active Directory.
Representative Windows Event XML Schema
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4662</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2026-07-17T09:54:44.274Z" />
<EventRecordID>1048576</EventRecordID>
<Correlation />
<Execution ProcessID="612" ThreadID="1024" />
<Channel>Security</Channel>
<Computer>DC01.enterprise.internal</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">SYSTEM</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<!-- Event telemetry fields specific to An operation was performed on an object -->
</EventData>
</Event>Correlated / Related Security Event IDs
Need to export or view this event without styling/layout wrappers?
Open Simple Plain Detail Page →ADVERTISEMENT / SPONSORED RESERVATION (728x90)