detection.wiki

Detection rules › Elastic

Potential Credential Access via DCSync

Author
Elastic
Source
upstream

This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1078 Valid Accounts, T1078.002 Valid Accounts: Domain Accounts
PersistenceT1078 Valid Accounts, T1078.002 Valid Accounts: Domain Accounts
Privilege EscalationT1078 Valid Accounts, T1078.002 Valid Accounts: Domain Accounts
Defense EvasionT1078 Valid Accounts, T1078.002 Valid Accounts: Domain Accounts
Credential AccessT1003 OS Credential Dumping, T1003.006 OS Credential Dumping: DCSync

Event coverage

ProviderEvent IDTitle
Security-Auditing4662An operation was performed on an object.

Stages and Predicates

Stage 1: kql:new_terms

not (winlog.event_data.SubjectUserName:"*$" or winlog.event_data.SubjectUserName:"MSOL_*") and (winlog.event_data.Properties:"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" or winlog.event_data.Properties:"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" or winlog.event_data.Properties:"89e95b76-444d-4c62-991a-0facbeda640c" or winlog.event_data.Properties:"DS-Replication-Get-Changes" or winlog.event_data.Properties:"DS-Replication-Get-Changes-All" or winlog.event_data.Properties:"DS-Replication-Get-Changes-In-Filtered-Set") and winlog.event_data.AccessMask:0x100

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

StageFieldKindExcluded values
1userends_with$
2userstarts_withMSOL_

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
winlog.event_data.AccessMaskeq
  • 0x100 corpus 3 (sigma 2, elastic 1)
winlog.event_data.Propertieswildcard
  • *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* corpus 2 (elastic 2)
  • *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* corpus 2 (elastic 2)
  • *89e95b76-444d-4c62-991a-0facbeda640c* corpus 2 (elastic 2)
  • *DS-Replication-Get-Changes* corpus 2 (elastic 2)
  • *DS-Replication-Get-Changes-All* corpus 2 (elastic 2)
  • *DS-Replication-Get-Changes-In-Filtered-Set* corpus 2 (elastic 2)

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.