Qilin ransomware has adopted a stealthy new approach, abusing the DCSync technique to exploit Active Directory replication protocols. In this latest incident, attackers were able to harvest the KRBTGT hash and every domain NTLM hash, exposing critical credentials that underpin the security of enterprise environments. This blog post examines the Qilin ransomware DCSync attack in detail, highlighting how it worked, who was affected, and what security teams need to know.
Qilin Ransomware Attack: How the DCSync Technique Was Used
The Qilin ransomware group’s intrusion was analysed by security researcher Maurice Fielenbach, who uncovered a sophisticated privilege escalation method. The attackers leveraged legitimate Active Directory (AD) replication protocols, specifically using the DCSync technique, to impersonate a domain controller and request sensitive password data via the Directory Replication Service Remote Protocol (MS-DRSR).
Timeline and Discovery
The attack was identified through careful analysis of Windows security logs. In the victim environment, a Microsoft Entra Connect account (with the MSOL_* prefix) was used legitimately for directory synchronisation every two minutes, with logs at 01:19, 01:21, and 01:23 reflecting this predictable pattern.
However, at 01:25, a significant deviation occurred. Several hundred Event ID 4662 entries appeared, this time under the built-in Administrator account. This account, unlike the legitimate sync account, should not have performed such bulk replication requests, raising an immediate red flag for investigators.
Technical Details of the Attack
Event ID 4662 is generated when directory service access auditing is enabled in Active Directory. These logs record operations against AD objects, and in this case, a specific fingerprint was observed in the malicious events:
- ObjectServer: DS (Directory Service)
- AccessMask: 0x100 (Control Access)
- Properties containing GUID 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes)
- Properties containing GUID 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes-All)
The critical element here is the DS-Replication-Get-Changes-All permission (second GUID). This grants an account the ability to replicate all secret domain data, including password hashes, similar to the privileges held by a domain controller during normal replication. With these rights, an attacker using the DCSync technique can request and obtain password data for any account in the domain without writing files or triggering typical endpoint alerts.
DCSync: Attack Mechanism and Common Tools
DCSync is a technique popularised by post-exploitation tools like Mimikatz. By impersonating a domain controller, attackers can use the MS-DRSR protocol to extract credentials directly from Active Directory. Notably, this method does not require direct access to the domain controller’s disk, making it stealthier than many traditional credential theft tactics.
In the Qilin case, the attackers focused on identity rather than volume. The legitimate Entra Connect synchronisation account consistently generated low, predictable replication traffic. The sudden spike in Event ID 4662 entries, all tied to the built-in Administrator account, provided a clear signal of malicious activity. This distinction is important, as domain controllers and sync tools do generate similar events under normal circumstances, but rarely from accounts outside a tightly defined set of principals.
Scope and Impact: Who Was Affected and What Was Stolen
This attack targeted an Active Directory environment where directory service access auditing was enabled. All domain accounts were at risk, as the DCSync technique allows attackers to retrieve NTLM password hashes for every account, as well as the KRBTGT hash. The KRBTGT account is particularly sensitive because it is used for Kerberos ticket signing, and compromise enables attackers to create Golden Tickets for persistent, stealthy access.
- All user and computer accounts in the domain were exposed via NTLM hash extraction.
- The KRBTGT account hash, crucial for Kerberos authentication, was harvested.
- The attack used the built-in Administrator account, which should never legitimately perform replication at this scale.
While the exact number of organisations affected by Qilin’s use of this technique is not clear, the detailed analysis of this intrusion highlights how attackers are combining ransomware operations with advanced identity-focused post-exploitation techniques.
Detection and Current Exploitation Status
The incident demonstrates that traditional event volume monitoring is insufficient for detecting stealthy attacks like DCSync. Instead, defenders should build detection rules around identity and privilege context. In this case, the burst of Event ID 4662 logs tied to the built-in Administrator account was the primary indicator of compromise.
Key detection characteristics for this type of attack include:
- Event ID 4662 with DS-Replication-Get-Changes or DS-Replication-Get-Changes-All GUIDs under non-domain controller or non-sync accounts.
- Replication protocol activity outside normal synchronisation schedules or involving privileged accounts.
- Sudden spikes in directory replication activity where the requesting account is not in the expected list of service principals.
At present, DCSync abuse remains an active threat vector, especially for ransomware groups seeking to maximise impact and establish deep persistence within compromised networks. The Qilin group’s adoption of this approach underscores the trend towards identity-centric attacks in modern ransomware campaigns.
Why This Matters and What Organisations Should Do Next
This Qilin ransomware intrusion shows that attackers are leveraging advanced, native AD features to blend in with normal operations and evade detection. The theft of the KRBTGT and all NTLM hashes enables not just data theft, but long-term persistence and further lateral movement.
- Review and tighten privileges on replication rights within Active Directory.
- Monitor for Event ID 4662 with DS-Replication-Get-Changes[-All] from unexpected accounts.
- Investigate any use of the built-in Administrator account for replication operations.
Organisations should prioritise detection engineering that correlates privilege context and account identity, rather than relying solely on event volume, to uncover similar attacks.
Originally reported by cybersecuritynews.com.





