service accounts that perform replication may trigger this alert on the first run per ad object, but they'll be suppressed in subsequent runs since this rule uses the new_terms rule type.

t1003
t1078
windows
elastic

Techniques

T1003
T1078

Sample rules

Potential Credential Access via DCSync

source: elastic
technicques:
- T1003
- T1078

Description

This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.

Detection logic

host.os.type:"windows" and event.code:"4662" and
  winlog.event_data.Properties:(
    *DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or
    *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or
    *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*
  ) and winlog.event_data.AccessMask : "0x100" and
  not winlog.event_data.SubjectUserName:(*$ or MSOL_*)