Possible DC Sync Attempt

The
Possible DC Sync Attempt
alert indicates that Active Directory replication is taking place between a domain controller (DC) and a host which is not a DC.

Synopsis

10 minutes
3 days
14 days
10 min
Traffic and Enhanced Application logs.
Severity
Medium

Description

Attackers may replicate Active Directory data to comprised domain-joined computers (an operation called DCSync).

Attacker's Goals

An attacker is trying to retrieve Active Directory data.

Investigative Actions

Check whether one of the machines is a new domain controller.

Recommended For You