Techniques
Sample rules
Potential Credential Access via DCSync
- source: elastic
- technicques:
- T1003
- T1078
Description
This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.
Detection logic
host.os.type:"windows" and event.code:"4662" and
winlog.event_data.Properties:(
*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or
*DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or
*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*
) and winlog.event_data.AccessMask : "0x100" and
not winlog.event_data.SubjectUserName:(*$ or MSOL_*)