detection.wiki

Detection rules › Splunk

Windows AD Replication Request Initiated from Unsanctioned Location

Author
Dean Luxton
Source
upstream

The following analytic identifies unauthorized Active Directory replication requests initiated from non-domain controller locations. It leverages EventCode 4662 to detect when a computer account with replication permissions creates a handle to domainDNS, filtering out known domain controller IP addresses. This activity is significant as it may indicate a DCSync attack, where an attacker with privileged access can request password hashes for any or all users within the domain. If confirmed malicious, this could lead to unauthorized access to sensitive information and potential full domain compromise.

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1003.006 OS Credential Dumping: DCSync

Event coverage

ProviderEvent IDTitle
Security-Auditing4624An account was successfully logged on.
Security-Auditing4662An operation was performed on an object.

Stages and Predicates

Stage 1: search

search (SubjectDomainName="Window Manager" OR SubjectUserName="*$" OR SubjectUserSid="NT AUT*" OR SubjectUserSid="S-1-5-18") AccessMask="0x100" EventCode=4662 ObjectType IN ("%{19195a5b-6da0-11d0-afd3-00c04fd930c9}", "domainDNS") Properties IN ("*Manage Replication Topology*", "*Remove Replica In Domain*", "*Replicating Directory Changes All*", "*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*", "*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*", "*{9923a32a-3607-11d2-b9be-0000f87a36b2}*")

Stage 2: stats

stats BY SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status

Stage 3: rename

rename

Stage 4: appendpipe

appendpipe

Stage 5: stats

stats BY TargetLogonId

Stage 6: search

search NOT src_category="domain_controller"

Stage 7: search

search `macro`

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

StageFieldKindExcluded values
1src_categoryeq"domain_controller"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
AccessMaskeq
  • "0x100" corpus 2 (splunk 2)
EventCodeeq
  • 4662 corpus 4 (splunk 4)
ObjectTypein
  • "%{19195a5b-6da0-11d0-afd3-00c04fd930c9}" corpus 2 (splunk 2)
  • "domainDNS" corpus 2 (splunk 2)
Propertiesin
  • "*Manage Replication Topology*" corpus 2 (splunk 2)
  • "*Remove Replica In Domain*" corpus 2 (splunk 2)
  • "*Replicating Directory Changes All*" corpus 2 (splunk 2)
  • "*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*" corpus 2 (splunk 2)
  • "*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*" corpus 2 (splunk 2)
  • "*{9923a32a-3607-11d2-b9be-0000f87a36b2}*" corpus 2 (splunk 2)
SubjectDomainNameeq
  • "Window Manager"
SubjectUserNameeq
  • "*$" corpus 2 (splunk 2)
SubjectUserSideq
  • "NT AUT*"
  • "S-1-5-18"