LoFP LoFP / local domain admin account used for azure ad connect

Techniques

Sample rules

Mimikatz DC Sync

Description

Detects Mimikatz DC sync security events

Detection logic

condition: selection and not 1 of filter*
filter1:
  SubjectDomainName: Window Manager
filter2:
  SubjectUserName|startswith:
  - NT AUT
  - MSOL_
filter3:
  SubjectUserName|endswith: $
selection:
  AccessMask: '0x100'
  EventID: 4662
  Properties|contains:
  - Replicating Directory Changes All
  - 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
  - 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
  - 9923a32a-3607-11d2-b9be-0000f87a36b2
  - 89e95b76-444d-4c62-991a-0facbeda640c