{
	"id": "35eeca8e-b2e2-4432-b072-ee0a7133201a",
	"created_at": "2026-04-06T00:15:56.287204Z",
	"updated_at": "2026-04-10T03:20:51.640645Z",
	"deleted_at": null,
	"sha1_hash": "1e88f37aa226ab8a96cb1d7ae4be335c94f8c563",
	"title": "GitHub - shellster/DCSYNCMonitor: Monitors for DCSYNC and DCSHADOW attacks and create custom Windows Events for these events.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 101136,
	"plain_text": "GitHub - shellster/DCSYNCMonitor: Monitors for DCSYNC and\r\nDCSHADOW attacks and create custom Windows Events for these\r\nevents.\r\nBy shellster\r\nArchived: 2026-04-05 21:42:15 UTC\r\nDescription\r\nThis tool is an application/service that can be deployed on Domain controllers to alert on Domain Controller\r\nSyncronization attempts. When an attempt is detected, the tool will write an event to the Windows Event Log.\r\nThese events can be correlated in a SIEM. In addition, this tool can take a list of valid DC IP's and, in this\r\nconfiguration, only alert when a DC SYNC attempt comes from a non-DC ip. This tool is meant to provide Blue\r\nTeams with a way to combat DC SYNC and DC SHADOW attacks without commercial tools like Microsoft ATA\r\nor fancy IDS/IPS.\r\nBrief Youtube Video: https://www.youtube.com/watch?v=oLND9QZfaJc\r\nInstallation Instructions\r\nTo install this tool, you can use either the pre-built binaries or build the tool yourself. Link for prebuilt binaries is\r\nhere:\r\n32bit Service:\r\nhttps://github.com/shellster/DCSYNCMonitor/raw/master/Release/DCSYNCMONITORSERVICE.exe\r\n64bit Service:\r\nhttps://github.com/shellster/DCSYNCMonitor/raw/master/x64/Release/DCSYNCMONITORSERVICE.exe\r\nYou will need either Winpcap or Npcap installed on your domain controller. Winpcap should work, but is not\r\nrecommended as the packet capture methods are not as efficient or thorough as NPcap. This tool has only been\r\nbriefly tested with Winpcap.\r\nTo install Npcap, downloaded the installer it from here: https://nmap.org/npcap/\r\nYou should make sure that the following options are checked:\r\nAutomatically start the Npcap driver at boot time\r\nRestrict Npcap driver's access to Administrators only\r\nAfter installing, you will need to reboot the domain controller.\r\nhttps://github.com/shellster/DCSYNCMonitor\r\nPage 1 of 5\n\nNpcap does not install the supporting library DLLs into the System's DLL search path, so you will need to\r\nperform the following tasks after installing:\r\ncopy \"%WINDIR%\\System32\\Npcap\\*.dll\" \"%WINDIR%\\System32\\\"\r\n#If Applicable (32bit Service on 64bit System):\r\ncopy \"%WINDIR%\\SYSWOW64\\Npcap\\*.dll\" \"%WINDIR%\\SYSWOW64\\\"\r\nnote: If the previous step is not completed, you will recieve errors about a missing wpcap.dll or Packet.dll when\r\nattempting to run the tool.\r\nNow copy the DCSYNCMONITOR.EXE from this project into an appropriate location. We recommend\r\n%WINDIR%\\SYSTEM32 for either 32bit systems or 64bit systems with a 64bit service, or\r\n%WINDIR%\\SYSWOW64 if you are using the 32bit service on a 64bit system.\r\nThe tool can now be run. However, you can either run it one of two ways:\r\nWithout a configuration file\r\nIn this mode, the tool will write a DCSYNCALERT Warning event to the Windows Application Event Log\r\neverytime a new IP (not seen in the previous five minutes) attempts to perform a DC SYNC against the domain\r\ncontroller. This will include legitimate syncronization activities between domain controllers.\r\nWith a configuration file\r\nA configuration file called, \"dc_ip_list.conf\" can be placed in the same directory as the tool. If this file exists, it\r\nshould contain one IPv4 (or long form IPv6) address per line. The tool will ingest this list on start-up. In this\r\nmode, no events will be written for DC Sync attempts from matching IP addresses. However, if a DC Sync\r\nattempt occurs from any other IP address, a DCSYNCALERT Error event will be written to the Windows\r\nApplication Event Log.\r\nnote Changes to the dc_ip_list.conf file will not take affect until the service is stopped and restarted.\r\nThe usual way to use this tool is to install it as a service. Once the tool is placed in the correct folder, this can\r\neasily be accomplished by running:\r\nDCMONITORSERVICE.exe -install\r\nOnce you have installed the service, you will need to start it manually from the Services.msc menu or by using\r\nappropriate net or sc commands. It will auto-start on future reboots.\r\nShould you need to uninstall the service, run the following command:\r\nDCMONITORSERVICE.exe -remove\r\nhttps://github.com/shellster/DCSYNCMonitor\r\nPage 2 of 5\n\nFinally, to run the tool in stand-alone mode, without installing a service (especially useful for debugging):\r\nDCMONITORSERVICE.exe -standalone\r\nScreenshots\r\nDC SYNC Warning events occur when there is no list of valid DC IPs provided, or when a DC SYNC occurs from\r\na valid DC IP:\r\nDC SYNC Error events occur when a list of valid DC IPs are provided and a DC SYNC occurs from any other IP\r\naddress:\r\nhttps://github.com/shellster/DCSYNCMonitor\r\nPage 3 of 5\n\nCompilation Instructions\r\nYou will need Visual Studio 2015 or later. The Community (free) edition is perfectly acceptable. Once you open\r\nthe project, you should be able to immediately build Dev and Release versions in both 32bit and 64bit varieties.\r\nThe Debug editions should not be deployed in a production environment. They spit extensive error and debugging\r\ninformation, including tcp packet dumps (if you uncomment the following) line in the monitor.cpp file:\r\n#ifdef _DEBUG\r\n//debug_print(\"TCP SRC IP: %s\\nData:\\n\", tcppacket.source_ip.address.c_str());\r\n//print_payload((const u_char *)tcppacket.data, tcppacket.data_length);\r\n#endif\r\nRelease versions are much smaller and automatically strip debug statements.\r\nImportant Limitations\r\nThis tool has the following known limitations:\r\nThe tool does a byte comparision for the DSNcChange Packet. This pattern should be fairly robust, but can\r\nlikely be defeatable by an advanced attacker.\r\nhttps://github.com/shellster/DCSYNCMonitor\r\nPage 4 of 5\n\nThe tool does not handle IPv4 fragmentation. An attacker could concievably specially craft a DC SYNC\r\nrequest with IPv4 fragmentation to bypass the packet sniffing.\r\nThe tool does not handle IPv6 packet extensions. An attacker, on an IPv6 network could conceivably craft\r\na DC SYNC request that contains extra header extensions or use a Jumbogram to bypass the signatures.\r\nThe tool does not handle malformed packets which may or may not be correctly dropped by the kernel.\r\nIt is highly unlikely, but a false postive could occur if a random tcp packet manages to match the 11 byte\r\nsignature this tool checks for.\r\nThis tool will only work on Server 2008 or later.\r\nLicense\r\nThis tool is provided under the MIT License (See LICENSE)\r\nReferences\r\nSignificant packet parsing insight and coding help was gathered from: https://www.tcpdump.org/sniffex.c\r\nThe C++ Windows Service boilerplate was taken from here:\r\nhttps://code.msdn.microsoft.com/windowsapps/CppWindowsService-cacf4948\r\nThe following page provided significant guidance on how to write to event logs:\r\nhttps://stackoverflow.com/questions/8559222/write-an-event-to-the-event-viewer\r\nCredit\r\nTool was written by Shelby Spencer:\r\nTwitter: shellsterdude\r\nKeybase.io: shellster\r\nGithub: shellster\r\nFusionX generously provided me with time to update and refine this tool as well as a platform to announce it.\r\nHowever, this project is solely owned and developed by me.\r\nFeedback\r\nSuggestions, feedback, and PR's are all welcome and encouraged.\r\nSource: https://github.com/shellster/DCSYNCMonitor\r\nhttps://github.com/shellster/DCSYNCMonitor\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://github.com/shellster/DCSYNCMonitor"
	],
	"report_names": [
		"DCSYNCMonitor"
	],
	"threat_actors": [],
	"ts_created_at": 1775434556,
	"ts_updated_at": 1775791251,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1e88f37aa226ab8a96cb1d7ae4be335c94f8c563.pdf",
		"text": "https://archive.orkl.eu/1e88f37aa226ab8a96cb1d7ae4be335c94f8c563.txt",
		"img": "https://archive.orkl.eu/1e88f37aa226ab8a96cb1d7ae4be335c94f8c563.jpg"
	}
}