VYPR
breachPublished Jul 14, 2026· 1 source

Qilin Ransomware Abuses Active Directory Replication for Credential Theft

Qilin ransomware operators are employing the DCSync technique to steal critical Active Directory credentials, including KRBTGT and NTLM hashes, by exploiting the Directory Replication Service Remote Protocol.

A recent campaign by the Qilin ransomware group has highlighted a sophisticated method for compromising Active Directory environments by leveraging the DCSync technique. This advanced tactic allows attackers to extract sensitive domain credentials, including the highly prized KRBTGT hash and NTLM password hashes for all user accounts within the domain, without needing to directly access a domain controller.

The technique was identified by security researcher Maurice Fielenbach, who observed anomalies in Windows Security logs during an intrusion. Legitimate synchronization processes, such as those performed by Microsoft Entra Connect, typically occur at regular intervals. Fielenbach noted a deviation from the expected pattern, with a sudden surge of Event ID 4662 entries logged under the built-in Administrator account. This account, unlike dedicated synchronization accounts, has no legitimate reason to perform bulk replication requests.

Event ID 4662 logs operations against Active Directory objects when directory service access auditing is enabled. The malicious activity was characterized by specific properties within these logs, notably the inclusion of GUIDs associated with DS-Replication-Get-Changes and, critically, DS-Replication-Get-Changes-All. The latter grants permissions equivalent to those used by domain controllers during normal replication, including access to password hashes.

DCSync, a technique popularized by tools like Mimikatz, works by impersonating a domain controller to request password data via the Directory Replication Service Remote Protocol (MS-DRSR). By doing so, attackers can obtain credential information without ever needing to write to or directly compromise a domain controller's file system, making it a stealthy and effective method for privilege escalation.

While a single Event ID 4662 with replication GUIDs is not inherently malicious, as domain controllers and legitimate sync tools constantly perform replication, the context is key. The Qilin attack distinguished itself by the identity of the account initiating the replication requests – the built-in Administrator – which falls outside the expected list of principals authorized for such operations. This shift in identity, rather than just an increase in event volume, served as a critical indicator of compromise.

Security professionals are advised to focus detection efforts on the identity of the actor performing replication requests rather than solely on event counts. Reliable detection can be built around Event ID 4662 entries where the subject account is not a domain controller or an approved synchronization account, and the access mask and properties indicate replication rights are being abused.

To defend against such attacks, organizations should rigorously audit and restrict which accounts possess 'Replicating Directory Changes' and 'Replicating Directory Changes All' permissions. Enabling comprehensive Directory Service Access auditing on domain controllers and feeding these 4662 events into SIEM correlation rules to flag non-standard replication requests are crucial steps. Given Qilin's ongoing evolution and focus on credential theft for lateral movement, implementing robust DCSync detection should be considered a fundamental security control.

Synthesized by Vypr AI