LoFP LoFP / service accounts that perform replication may trigger this alert on the first run per ad object, but they'll be suppressed in subsequent runs since this rule uses the new_terms rule type.

Techniques

Sample rules

Potential Credential Access via DCSync

Description

This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.

Detection logic

host.os.type:"windows" and event.code:"4662" and
  winlog.event_data.Properties:(
    *DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or
    *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or
    *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*
  ) and winlog.event_data.AccessMask : "0x100" and
  not winlog.event_data.SubjectUserName:(*$ or MSOL_*)