Detection rules › Splunk
Windows AD Domain Replication ACL Addition
The following analytic detects the addition of permissions required for a DCSync attack, specifically DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, and DS-Replication-Get-Changes-In-Filtered-Set. It leverages EventCode 5136 from the Windows Security Event Log to identify when these permissions are granted. This activity is significant because it indicates potential preparation for a DCSync attack, which can be used to replicate AD objects and exfiltrate sensitive data. If confirmed malicious, an attacker could gain extensive access to Active Directory, leading to severe data breaches and privilege escalation.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1484 Domain or Tenant Policy Modification |
| Defense Evasion | T1484 Domain or Tenant Policy Modification |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 5136 | A directory service object was modified. |
Stages and Predicates
Stage 1: search
search EventCode=5136 ObjectClass="domainDNS"
Stage 2: stats
stats BY ObjectClass, ObjectDN, OpCorrelationID, src_user, SubjectLogonId, dest
Stage 3: rex
rex field=old_value ...
Stage 4: rex
rex field=new_value ...
Stage 5: mvexpand
mvexpand
Stage 6: where
where NOT new_ace="old_values"
Stage 7: rex
rex field=new_ace ...
Stage 8: search
search aceObjectGuid IN ("1131f6aa-9c07-11d1-f79f-00c04fc2dcd2", "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2", "89e95b76-444d-4c62-991a-0facbeda640c")
Stage 9: rex
rex field=aceAccessRights ...
Stage 10: rex
rex field=aceFlags ...
Stage 11: lookup
lookup <lookup> ControlAccessRights, aceObjectGuid, displayName, guid
Stage 12: lookup
lookup <lookup> AccessRights, access_rights_string, access_rights_value
Stage 13: lookup
lookup <lookup> aceType, ace_type_string, ace_type_value
Stage 14: lookup
lookup <lookup> aceFlags, ace_flag_value, flag_string, flag_value
Stage 15: lookup
lookup <lookup> aceSid, builtin_group, builtin_group_name, builtin_group_string
Stage 16: eval
eval ... using (AccessRights, ControlAccessRights, access_rights_value, aceObjectGuid, aceSid, ace_flag_value, ace_type_value, builtin_group, group)
Stage 17: stats
stats BY ObjectClass, ObjectDN, src_user, dest, user
Stage 18: search
search ((aceControlAccessRights="1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" aceControlAccessRights="1131f6ad-9c07-11d1-f79f-00c04fc2dcd2") OR (aceControlAccessRights="Replicating Directory Changes All" aceControlAccessRights="Replicating Directory Changes"))
Stage 19: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | new_ace | eq | old_values |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
ObjectClass | eq |
|
aceControlAccessRights | eq |
|
aceObjectGuid | in |
|
Neighbors
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Windows AD Dangerous Deny ACL Modification (drops 1 filter this rule applies)
- Windows AD Object Owner Updated (drops 1 filter this rule applies)
- Windows AD Self DACL Assignment (drops 1 filter this rule applies)