Active Directory Replication from Non Machine Account

Severity: critical
Author: Roberto Rodriguez @Cyb3rWard0g
Source: upstream

Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1003.006` OS Credential Dumping: DCSync

Event coverage

Provider	Event ID	Title
Security-Auditing	4662	An operation was performed on an object.

Stages and Predicates

Stage 1: `selection`

or:
Properties|contains: '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
Properties|contains: '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
Properties|contains: '89e95b76-444d-4c62-991a-0facbeda640c'
AccessMask: 0x100

Stage 2: `not filter`

or:
SubjectUserName|endswith: '$'
SubjectUserName|startswith: MSOL_

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`AccessMask`	eq	`0x100` corpus 3 (sigma 2, elastic 1)
`Properties`	match	`1131f6aa-9c07-11d1-f79f-00c04fc2dcd2` corpus 2 (sigma 2) `1131f6ad-9c07-11d1-f79f-00c04fc2dcd2` corpus 2 (sigma 2) `89e95b76-444d-4c62-991a-0facbeda640c` corpus 2 (sigma 2)
`SubjectUserName`	ends_with	`$` corpus 18 (sigma 14, elastic 4)
`SubjectUserName`	starts_with	`MSOL_` corpus 3 (sigma 3)