Skip to content

Commit 19e1d51

Browse files
dluxtrondluxtron
committed
Updating detection
1 parent f0d60a4 commit 19e1d51

File tree

1 file changed

+13
-16
lines changed

1 file changed

+13
-16
lines changed

detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml

Lines changed: 13 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -14,29 +14,26 @@ description: The following analytic detects a user account initiating an Active
1414
sufficient privileges to request password hashes for any or all users within the
1515
domain. If confirmed malicious, this could lead to unauthorized access, privilege
1616
escalation, and potential compromise of the entire domain.
17-
search: '`wineventlog_security` EventCode=4662 ObjectType IN ("%{19195a5b-6da0-11d0-afd3-00c04fd930c9}",
18-
"domainDNS") AND Properties IN ("*Replicating Directory Changes All*", "*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*",
19-
"*{9923a32a-3607-11d2-b9be-0000f87a36b2}*","*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*")
20-
AND AccessMask="0x100" AND NOT (SubjectUserSid="NT AUT*" OR SubjectUserSid="S-1-5-18"
21-
OR SubjectDomainName="Window Manager" OR SubjectUserName="*$") | stats min(_time)
22-
as _time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName,
23-
ObjectServer, ObjectType, OperationType, status | rename SubjectDomainName as Target_Domain,
24-
SubjectUserName as user, Logon_ID as TargetLogonId, _time as attack_time | appendpipe
25-
[| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"]
26-
| table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid,
27-
Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName,
28-
ObjectServer, ObjectType, OperationType | stats min(attack_time) as _time values(TargetUserSid)
29-
as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user,
30-
values(Computer) as Computer, values(status) as status, values(src_category) as
31-
src_category, values(src_ip) as src_ip by TargetLogonId | `windows_ad_replication_request_initiated_by_user_account_filter`'
17+
search: >-
18+
`wineventlog_security` EventCode=4662 ObjectType IN ("%{19195a5b-6da0-11d0-afd3-00c04fd930c9}","domainDNS")
19+
AND Properties IN ("*Replicating Directory Changes All*", "*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*","*{9923a32a-3607-11d2-b9be-0000f87a36b2}*","*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*")
20+
AND AccessMask="0x100" AND NOT (SubjectUserSid="NT AUT*" OR SubjectUserSid="S-1-5-18" OR SubjectDomainName="Window Manager" OR SubjectUserName="*$")
21+
| stats min(_time) as _time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status
22+
| rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as TargetLogonId, _time as attack_time
23+
| appendpipe
24+
[| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$" | fields - status]
25+
| table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid, Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName, ObjectServer, ObjectType, OperationType
26+
| stats min(attack_time) as _time values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) as status, values(src_category) as
27+
src_category, values(src_ip) as src_ip by TargetLogonId
28+
| `windows_ad_replication_request_initiated_by_user_account_filter`
3229
how_to_implement: To successfully implement this search, you need to be ingesting
3330
eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services
3431
Access` within `DS Access` needs to be enabled, as well as the following SACLs applied
3532
to the domain root and all descendant objects. The principals `everybody`, `Domain
3633
Computers`, and `Domain Controllers` auditing the permissions `Replicating Directory
3734
Changes`, `Replicating Directory Changes All`, and `Replicating Directory Changes
3835
In Filtered Set`
39-
known_false_positives: Azure AD Connect syncing operations.
36+
known_false_positives: Azure AD Connect syncing operations and the dcdiag.exe /Test:Replications command.
4037
references:
4138
- https://adsecurity.org/?p=1729
4239
- https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer

0 commit comments

Comments
 (0)