Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Qilin Ransomware Exploits Active Directory with DCSync

Qilin Ransomware Exploits Active Directory with DCSync

Posted on July 14, 2026 By CWS

A new wave of attacks attributed to the Qilin ransomware group has highlighted a sophisticated method of privilege escalation, taking advantage of Active Directory’s replication protocols. This approach allows attackers to extract domain credentials, including sensitive KRBTGT hashes and NTLM password hashes, across the domain.

Uncovering the DCSync Technique

Security expert Maurice Fielenbach unearthed this method through detailed analysis of Windows Security logs. He discovered that the Microsoft Entra Connect synchronization account, usually an MSOL_* account, was engaging in regular directory replication every two minutes. This predictable activity was noted at times like 01:19, 01:21, and 01:23.

However, at 01:25, a notable anomaly appeared. Hundreds of Event ID 4662 entries were recorded, but this time under the built-in Administrator account, which typically does not perform such bulk replication tasks.

Understanding Event ID 4662

Event ID 4662 is critical in tracking operations against Active Directory objects, assuming directory service access auditing is enabled. In this case, malicious activities were marked by specific properties:

  • ObjectServer: DS (Directory Service)
  • AccessMask: 0x100 (Control Access)
  • Properties with GUID 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes)
  • Properties with GUID 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes-All)

The second GUID is particularly significant as it offers access to secret domain data, such as password hashes, mirroring the rights used by domain controllers during standard replication processes.

Detecting DCSync Attacks

The DCSync method, extensively used by tools like Mimikatz, mimics a domain controller to solicit password information via the Directory Replication Service Remote Protocol (MS-DRSR), without directly accessing a domain controller’s disk.

Although a single Event ID 4662 with these GUIDs isn’t inherently harmful, the change in identity rather than volume was a red flag. The activity originated from an account outside the typical group of accounts authorized for replication.

Security analysts recommend that identity monitoring should be prioritized over mere event counting, given the variability in event counts based on request scope and audit configuration.

To bolster defenses, organizations should audit permissions for Replicating Directory Changes, enable Directory Service Access auditing on domain controllers, and incorporate 4662 events into SIEM systems to flag suspicious accounts.

As Qilin ransomware continues to evolve with a focus on credential theft, detection of DCSync attacks should be a fundamental security measure rather than an advanced one.

Cyber Security News Tags:Active Directory, credential theft, Cybersecurity, DCSync, Microsoft Entra, network security, privilege escalation, Qilin ransomware, security logs, SIEM, threat detection

Post navigation

Previous Post: Critical Flaws in Claude for Chrome Allow Unauthorized Access
Next Post: RabbitMQ Vulnerabilities Expose OAuth Secrets, Threaten Security

Related Posts

Massive Cyber-Attack Attacking macOS Users via GitHub Pages to Deliver Stealer Malware Massive Cyber-Attack Attacking macOS Users via GitHub Pages to Deliver Stealer Malware Cyber Security News
CISA Alerts on FileZen Vulnerability Exploitation CISA Alerts on FileZen Vulnerability Exploitation Cyber Security News
TrueConf Vulnerability Added to CISA’s KEV List TrueConf Vulnerability Added to CISA’s KEV List Cyber Security News
Top 20 APM Tools to Enhance Application Performance Top 20 APM Tools to Enhance Application Performance Cyber Security News
New FrigidStealer Malware Attacking macOS Users to Steal Login Credentials New FrigidStealer Malware Attacking macOS Users to Steal Login Credentials Cyber Security News
Critical DNN Platform Vulnerability Let Attackers Execute Malicious Scripts Critical DNN Platform Vulnerability Let Attackers Execute Malicious Scripts Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • CISA Alerts on Cisco IOS Vulnerability Exploitation
  • Critical Fixes for VMware Avi Load Balancer Vulnerabilities
  • RabbitMQ Vulnerabilities Expose OAuth Secrets, Threaten Security
  • Qilin Ransomware Exploits Active Directory with DCSync
  • Critical Flaws in Claude for Chrome Allow Unauthorized Access

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • CISA Alerts on Cisco IOS Vulnerability Exploitation
  • Critical Fixes for VMware Avi Load Balancer Vulnerabilities
  • RabbitMQ Vulnerabilities Expose OAuth Secrets, Threaten Security
  • Qilin Ransomware Exploits Active Directory with DCSync
  • Critical Flaws in Claude for Chrome Allow Unauthorized Access

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark