Potential DCSync by an unusual user

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2026-02-09

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires one of the following data sources: Windows Event Collector OR XDR Agent with eXtended Threat Hunting (XTH)
Detection Modules	Identity Analytics
Detector Tags
ATT&CK Tactic	Defense Evasion (TA0005) Credential Access (TA0006)
ATT&CK Technique	OS Credential Dumping: DCSync (T1003.006) Rogue Domain Controller (T1207)
Severity	Informational

Attackers may leverage the domain replication process to extract sensitive information (DCSync).

An attacker is trying to retrieve Active Directory data, including password hashes.

Check the role of the account, and see if it should initiate a DC synchronization.
Check if the account performing the DCSync is related to a new DC.
Find the source host of the DCSync (correlate between event 4662 and 4624 based on the field 'Logon ID').
Check if the account was recently added to an administrative groups/had new sensitive privileges assigned to it.
Monitor suspicious traffic to/from the host to identify lateral movement or access to sensitive resources.

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Attackers may leverage the domain replication process to extract sensitive information (DCSync).

An attacker is trying to retrieve Active Directory data, including password hashes.

Check the role of the account, and see if it should initiate a DC synchronization.
Check if the account performing the DCSync is related to a new DC.
Find the source host of the DCSync (correlate between event 4662 and 4624 based on the field 'Logon ID').
Check if the account was recently added to an administrative groups/had new sensitive privileges assigned to it.
Monitor suspicious traffic to/from the host to identify lateral movement or access to sensitive resources.