EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4662Audit SuccessSecurityT1003.006

Windows Event ID 4662Operation Performed on Active Directory Object

Logged when an operation is performed on an Active Directory object — such as a user, computer, or the domain partition itself. The critical event for detecting DCSync attacks and unauthorized AD replication.

MITRE ATT&CK

Technique

T1003.006 · DCSync

Tactic

Credential Access

View on attack.mitre.org →

Why It Matters

Attackers with sufficient privileges use DCSync (via Mimikatz or Impacket's secretsdump) to impersonate a domain controller and request password hashes for any account — including krbtgt and domain admins — without ever touching the DC filesystem. Event ID 4662 with replication-related access rights is the primary detection signal. A non-DC account requesting DS-Replication-Get-Changes-All is almost never legitimate.

Key Fields

Object DNThe distinguished name of the AD object accessed — the domain partition (DC=...) indicates domain-level replication
Access Mask / PropertiesLook for DS-Replication-Get-Changes (1131f6aa...) and DS-Replication-Get-Changes-All (1131f6ad...) — together they allow full password hash extraction
Subject Account NameThe account performing the operation — should only ever be machine accounts ending in $ (actual DCs). Any user account is suspicious.
Object TypedomainDNS indicates domain partition access — the target of a DCSync attack

Investigation Tips

  1. 1.Filter for Subject Account Name that does NOT end in $ — legitimate replication is always performed by computer accounts (DCs), not user accounts.
  2. 2.Look for GUID 1131f6ad (DS-Replication-Get-Changes-All) — this right is required to dump password hashes and is rarely granted to non-DCs.
  3. 3.Correlate with 4624 logon events for the same account immediately before — Impacket secretsdump authenticates then immediately replicates.
  4. 4.Check if the source machine is a known DC using your CMDB or the computer account list in AD. An unknown host requesting replication rights is a confirmed DCSync.
  5. 5.Is this always malicious? No — legitimate backup tools (Veeam, Azure AD Connect) also trigger 4662 with replication rights. Verify the account and source host before escalating.
  6. 6.Enable 'Audit Directory Service Access' under Advanced Audit Policy to generate 4662 — it is off by default on many DCs.

Related Event IDs

4624Logon event — attacker authenticates before replicating
4672Special privileges — replication rights assigned at logon
4663Object access — LSASS and NTDS access for offline dumping
4768Kerberos TGT — krbtgt hash from DCSync enables Golden Tickets
4769Kerberos service ticket — used with forged credentials post-DCSync

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4662

See Event ID 4662 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects operation performed on active directory object patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →