Windows AD Replication Request Initiated by User Account

Author: Dean Luxton
Source: upstream

The following analytic detects a user account initiating an Active Directory replication request, indicative of a DCSync attack. It leverages EventCode 4662 from the Windows Security Event Log, focusing on specific object types and replication permissions. This activity is significant because it can allow an attacker with sufficient privileges to request password hashes for any or all users within the domain. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of the entire domain.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1003.006` OS Credential Dumping: DCSync

Event coverage

Provider	Event ID	Title
Security-Auditing	4624	An account was successfully logged on.
Security-Auditing	4662	An operation was performed on an object.

Stages and Predicates

Stage 1: `search`

search NOT (SubjectDomainName="Window Manager" OR SubjectUserName="*$" OR SubjectUserSid="NT AUT*" OR SubjectUserSid="S-1-5-18") AccessMask="0x100" EventCode=4662 ObjectType IN ("%{19195a5b-6da0-11d0-afd3-00c04fd930c9}", "domainDNS") Properties IN ("*Manage Replication Topology*", "*Remove Replica In Domain*", "*Replicating Directory Changes All*", "*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*", "*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*", "*{9923a32a-3607-11d2-b9be-0000f87a36b2}*")

Stage 2: `stats`

stats BY SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status, dest

Stage 3: `rename`

rename

Stage 4: `appendpipe`

appendpipe

Stage 5: `stats`

stats BY TargetLogonId

Stage 6: `search`

search `macro`

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

Stage	Field	Kind	Excluded values
1	`SubjectDomainName`	eq	`"Window Manager"`
2	`SubjectUserSid`	eq	`"NT AUT*"`
3	`SubjectUserSid`	eq	`"S-1-5-18"`
4	`user`	eq	`"*$"`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`AccessMask`	eq	`"0x100"` corpus 2 (splunk 2)
`EventCode`	eq	`4662` corpus 4 (splunk 4)
`ObjectType`	in	`"%{19195a5b-6da0-11d0-afd3-00c04fd930c9}"` corpus 2 (splunk 2) `"domainDNS"` corpus 2 (splunk 2)
`Properties`	in	`"Manage Replication Topology"` corpus 2 (splunk 2) `"Remove Replica In Domain"` corpus 2 (splunk 2) `"Replicating Directory Changes All"` corpus 2 (splunk 2) `"{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}"` corpus 2 (splunk 2) `"{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}"` corpus 2 (splunk 2) `"{9923a32a-3607-11d2-b9be-0000f87a36b2}"` corpus 2 (splunk 2)

Windows AD Replication Request Initiated by User Account

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: search

Stage 2: stats

Stage 3: rename

Stage 4: appendpipe

Stage 5: stats

Stage 6: search