Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Qilin Ransomware Exploits Active Directory with DCSync

Qilin Ransomware Exploits Active Directory with DCSync

Posted on July 14, 2026 By CWS

A new wave of attacks attributed to the Qilin ransomware group has highlighted a sophisticated method of privilege escalation, taking advantage of Active Directory’s replication protocols. This approach allows attackers to extract domain credentials, including sensitive KRBTGT hashes and NTLM password hashes, across the domain.

Uncovering the DCSync Technique

Security expert Maurice Fielenbach unearthed this method through detailed analysis of Windows Security logs. He discovered that the Microsoft Entra Connect synchronization account, usually an MSOL_* account, was engaging in regular directory replication every two minutes. This predictable activity was noted at times like 01:19, 01:21, and 01:23.

However, at 01:25, a notable anomaly appeared. Hundreds of Event ID 4662 entries were recorded, but this time under the built-in Administrator account, which typically does not perform such bulk replication tasks.

Understanding Event ID 4662

Event ID 4662 is critical in tracking operations against Active Directory objects, assuming directory service access auditing is enabled. In this case, malicious activities were marked by specific properties:

  • ObjectServer: DS (Directory Service)
  • AccessMask: 0x100 (Control Access)
  • Properties with GUID 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes)
  • Properties with GUID 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes-All)

The second GUID is particularly significant as it offers access to secret domain data, such as password hashes, mirroring the rights used by domain controllers during standard replication processes.

Detecting DCSync Attacks

The DCSync method, extensively used by tools like Mimikatz, mimics a domain controller to solicit password information via the Directory Replication Service Remote Protocol (MS-DRSR), without directly accessing a domain controller’s disk.

Although a single Event ID 4662 with these GUIDs isn’t inherently harmful, the change in identity rather than volume was a red flag. The activity originated from an account outside the typical group of accounts authorized for replication.

Security analysts recommend that identity monitoring should be prioritized over mere event counting, given the variability in event counts based on request scope and audit configuration.

To bolster defenses, organizations should audit permissions for Replicating Directory Changes, enable Directory Service Access auditing on domain controllers, and incorporate 4662 events into SIEM systems to flag suspicious accounts.

As Qilin ransomware continues to evolve with a focus on credential theft, detection of DCSync attacks should be a fundamental security measure rather than an advanced one.

Cyber Security News Tags:Active Directory, credential theft, Cybersecurity, DCSync, Microsoft Entra, network security, privilege escalation, Qilin ransomware, security logs, SIEM, threat detection

Post navigation

Previous Post: Critical Flaws in Claude for Chrome Allow Unauthorized Access
Next Post: RabbitMQ Vulnerabilities Expose OAuth Secrets, Threaten Security

Related Posts

Critical Flaw in Cisco IMC Software Exposes Systems Critical Flaw in Cisco IMC Software Exposes Systems Cyber Security News
APT28 Exploits Microsoft Office Flaw Targeting Europe APT28 Exploits Microsoft Office Flaw Targeting Europe Cyber Security News
CISA Alerts on Exploited Microsoft Vulnerabilities CISA Alerts on Exploited Microsoft Vulnerabilities Cyber Security News
CISA Warns of Control Web Panel OS Command Injection Vulnerability Exploited in Attacks CISA Warns of Control Web Panel OS Command Injection Vulnerability Exploited in Attacks Cyber Security News
Chrome Emergency Update to Patch Multiple Vulnerabilities that Enable Remote Code Execution Chrome Emergency Update to Patch Multiple Vulnerabilities that Enable Remote Code Execution Cyber Security News
GitLab Security Flaws Demand Immediate Patching GitLab Security Flaws Demand Immediate Patching Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Enhancing SOC Efficiency: Cut Alert Overload & MTTR
  • Crypto Wallet Extensions’ Privacy Risks Uncovered
  • CISA Alerts on Cisco IOS Vulnerability Exploitation
  • Critical Fixes for VMware Avi Load Balancer Vulnerabilities
  • RabbitMQ Vulnerabilities Expose OAuth Secrets, Threaten Security

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Enhancing SOC Efficiency: Cut Alert Overload & MTTR
  • Crypto Wallet Extensions’ Privacy Risks Uncovered
  • CISA Alerts on Cisco IOS Vulnerability Exploitation
  • Critical Fixes for VMware Avi Load Balancer Vulnerabilities
  • RabbitMQ Vulnerabilities Expose OAuth Secrets, Threaten Security

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark