DCSyncAudit-AD

Active Directory DCSync Rights Auditor — A 100% defensive security auditing tool that identifies accounts and groups with AD replication rights (DCSync) and classifies them as legitimate or suspicious.

DISCLAIMER: For authorized security auditing only. This tool performs READ-ONLY LDAP queries and does NOT perform any replication, exploitation, or credential dumping. Unauthorized use is strictly prohibited.

---

🇫🇷 Description (Français)

DCSyncAudit-AD est un outil d'audit de sécurité 100% défensif pour Active Directory. Il identifie tous les comptes et groupes disposant des droits de réplication (DCSync) sur le domaine et les classe comme légitimes ou suspects.

Fonctionnalités

• Audit des droits DCSync : Requêtes LDAP en lecture seule pour identifier TOUS les comptes/groupes ayant les droits DS-Replication-Get-Changes et DS-Replication-Get-Changes-All
• Classification automatique : Légitime (Domain Controllers, Domain Admins) vs suspect (comptes utilisateurs, comptes de service, groupes custom)
• Résolution de groupes imbriqués : Détection des chemins de membership indirect vers les droits DCSync
• Vérification AdminSDHolder : Contrôle de la protection des comptes administratifs
• Monitoring continu : Baseline des comptes légitimes avec alerting sur les changements
• Règles de détection : Génération automatique de règles Sigma, KQL (Azure Sentinel), et SPL (Splunk)
• Hardening : Recommandations de durcissement avec scripts PowerShell de remédiation
• Conformité : Vérification CIS Benchmark et ANSSI
• Rapports : Export HTML, JSON, Markdown avec scoring de risque

Utilisation

# Audit des droits DCSync
dcsyncaudit-ad audit -s dc01.corp.local -d corp.local -u CORP\\admin -p password

# Créer une baseline
dcsyncaudit-ad baseline create -s dc01.corp.local -d corp.local -u CORP\\admin -p password

# Monitoring (comparaison avec baseline)
dcsyncaudit-ad monitor -s dc01.corp.local -d corp.local -u CORP\\admin -p password

# Recommandations de hardening
dcsyncaudit-ad harden -s dc01.corp.local -d corp.local -u CORP\\admin -p password --export-scripts ./scripts

# Générer un rapport HTML
dcsyncaudit-ad report -s dc01.corp.local -d corp.local -u CORP\\admin -p password --format html

---

🇬🇧 Description (English)

DCSyncAudit-AD is a 100% defensive security auditing tool for Active Directory. It identifies all accounts and groups with replication rights (DCSync) on the domain and classifies them as legitimate or suspicious.

Features

• DCSync Rights Audit: Read-only LDAP queries to identify ALL accounts/groups with DS-Replication-Get-Changes and DS-Replication-Get-Changes-All rights
• Automatic Classification: Legitimate (Domain Controllers, Domain Admins) vs suspicious (user accounts, service accounts, custom groups)
• Nested Group Resolution: Detection of indirect membership paths to DCSync rights
• AdminSDHolder Verification: Check protection of administrative accounts
• Continuous Monitoring: Baseline of legitimate accounts with alerting on changes
• Detection Rules: Automatic generation of Sigma, KQL (Azure Sentinel), and SPL (Splunk) rules
• Hardening: Hardening recommendations with PowerShell remediation scripts
• Compliance: CIS Benchmark and ANSSI verification
• Reports: HTML, JSON, Markdown export with risk scoring

Usage

# Audit DCSync rights
dcsyncaudit-ad audit -s dc01.corp.local -d corp.local -u CORP\\admin -p password

# Create a baseline
dcsyncaudit-ad baseline create -s dc01.corp.local -d corp.local -u CORP\\admin -p password

# Monitor (compare with baseline)
dcsyncaudit-ad monitor -s dc01.corp.local -d corp.local -u CORP\\admin -p password

# Hardening recommendations
dcsyncaudit-ad harden -s dc01.corp.local -d corp.local -u CORP\\admin -p password --export-scripts ./scripts

# Generate HTML report
dcsyncaudit-ad report -s dc01.corp.local -d corp.local -u CORP\\admin -p password --format html

---

Installation

git clone https://github.com/ayinedjimi/DCSyncAudit-AD.git
cd DCSyncAudit-AD
pip install -e .

Requirements

• Python 3.8+
• ldap3
• rich
• pandas
• openai

Architecture

DCSyncAudit-AD/
├── src/dcsyncaudit_ad/
│   ├── __init__.py          # Package initialization
│   ├── models.py            # Data models
│   ├── auditor.py           # DCSync rights auditor (read-only LDAP)
│   ├── monitor.py           # Continuous monitoring & detection rules
│   ├── hardener.py          # Hardening recommendations
│   ├── reporter.py          # Report generation (HTML/JSON/Markdown)
│   └── cli.py               # Command-line interface
├── tests/
│   ├── test_auditor.py      # Auditor unit tests
│   └── test_monitor.py      # Monitor unit tests
├── setup.py
├── requirements.txt
├── LICENSE
└── README.md

MITRE ATT&CK Mapping

Technique	ID	Description
OS Credential Dumping: DCSync	T1003.006	This tool detects accounts that could perform DCSync

Compliance Frameworks

• CIS Benchmark for Windows Server
• ANSSI Recommendations for Active Directory Security
• MITRE ATT&CK T1003.006
• NIST 800-53 Access Control

Testing

pip install pytest pytest-cov
pytest tests/ -v --cov=dcsyncaudit_ad

Author

Ayi NEDJIMI — contact@ayinedjimi-consultants.fr

License

This project is licensed under the MIT License - see the LICENSE file for details.

---

DISCLAIMER: This tool is intended for authorized security auditing only. It performs read-only analysis and does NOT exploit any vulnerabilities. Always obtain proper authorization before auditing any system. Unauthorized use is strictly prohibited and may violate applicable laws.