rules/windows/builtin/security/win_dcsync.yml

title: Mimikatz DC Sync
id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
description: Detects Mimikatz DC sync security events
status: experimental
date: 2018/06/03
modified: 2022/03/15
author: Benjamin Delpy, Florian Roth, Scott Dermott, Sorina Ionescu
references:
    - https://twitter.com/gentilkiwi/status/1003236624925413376
    - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
    - https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r
    - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
tags:
    - attack.credential_access
    - attack.s0002
    - attack.t1003.006
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4662
        Properties|contains:
            - 'Replicating Directory Changes All'
            - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
            - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
            - '9923a32a-3607-11d2-b9be-0000f87a36b2'
            - '89e95b76-444d-4c62-991a-0facbeda640c'
        AccessMask: '0x100'
    filter1:
        SubjectDomainName: 'Window Manager'
    filter2:
        SubjectUserName|startswith:
            - 'NT AUTHORITY'
            - 'MSOL_'
    filter3:
        SubjectUserName|endswith: '$'
    condition: selection and not 1 of filter*
falsepositives:
    - Valid DC Sync that is not covered by the filters; please report
    - Local Domain Admin account used for Azure AD Connect
level: high
Rule: DCSync 2018-06-03 16:00:57 +02:00			`title: Mimikatz DC Sync`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 611eab06-a145-4dfa-a295-3ccc5c20f59a`
Rule: DCSync 2018-06-03 16:00:57 +02:00			`description: Detects Mimikatz DC sync security events`
			`status: experimental`
			`date: 2018/06/03`
Update win_dcsync.yml 2022-03-15 12:37:07 +01:00			`modified: 2022/03/15`
			`author: Benjamin Delpy, Florian Roth, Scott Dermott, Sorina Ionescu`
Rule: DCSync 2018-06-03 16:00:57 +02:00			`references:`
			`- https://twitter.com/gentilkiwi/status/1003236624925413376`
			`- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2`
Update win_dcsync.yml 2022-03-15 12:37:07 +01:00			`- https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r`
			`- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662`
Add tags to windows builtin rules 2018-07-24 07:50:32 +02:00			`tags:`
			`- attack.credential_access`
ATT&CK tagging QA 2018-09-20 12:44:44 +02:00			`- attack.s0002`
Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00			`- attack.t1003.006`
Rule: DCSync 2018-06-03 16:00:57 +02:00			`logsource:`
			`product: windows`
			`service: security`
			`detection:`
			`selection:`
			`EventID: 4662`
Update win_dcsync.yml 2020-10-15 15:19:18 -03:00			`Properties\|contains:`
			`- 'Replicating Directory Changes All'`
			`- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'`
Update win_dcsync.yml 2022-03-15 12:37:07 +01:00			`- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'`
			`- '9923a32a-3607-11d2-b9be-0000f87a36b2'`
			`- '89e95b76-444d-4c62-991a-0facbeda640c'`
			`AccessMask: '0x100'`
fix: FPs with Mimikatz DC Sync rule 2019-10-08 17:43:50 +02:00			`filter1:`
			`SubjectDomainName: 'Window Manager'`
Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00			`filter2:`
Update win_dcsync.yml 2020-10-15 15:19:18 -03:00			`SubjectUserName\|startswith:`
			`- 'NT AUTHORITY'`
			`- 'MSOL_'`
Update win_dcsync.yml 2020-10-15 20:19:06 -03:00			`filter3:`
$frack113$ Split PR 1802 builtin net rules 2021-08-09 20:23:35 +02:00			`SubjectUserName\|endswith: '$'`
$frack113$ simplified condition 2021-12-08 20:12:57 +01:00			`condition: selection and not 1 of filter*`
Rule: DCSync 2018-06-03 16:00:57 +02:00			`falsepositives:`
fix: Mimikatz DC Sync rule FP description and level 2019-10-08 17:45:10 +02:00			`- Valid DC Sync that is not covered by the filters; please report`
false positive - added Azure AD Connect 2021-04-20 08:24:38 -04:00			`- Local Domain Admin account used for Azure AD Connect`
fix: Mimikatz DC Sync rule FP description and level 2019-10-08 17:45:10 +02:00			`level: high`
Rule: DCSync 2018-06-03 16:00:57 +02:00