blue-team-tools/rules/windows/builtin/security/win_dcsync.yml

title: Mimikatz DC Sync
id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
description: Detects Mimikatz DC sync security events
status: experimental
date: 2018/06/03
modified: 2022/03/15
author: Benjamin Delpy, Florian Roth, Scott Dermott, Sorina Ionescu
references:
    - https://twitter.com/gentilkiwi/status/1003236624925413376
    - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
    - https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r
    - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
tags:
    - attack.credential_access
    - attack.s0002
    - attack.t1003.006
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4662
        Properties|contains:
            - 'Replicating Directory Changes All'
            - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
            - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
            - '9923a32a-3607-11d2-b9be-0000f87a36b2'
            - '89e95b76-444d-4c62-991a-0facbeda640c'
        AccessMask: '0x100'
    filter1:
        SubjectDomainName: 'Window Manager'
    filter2:
        SubjectUserName|startswith:
            - 'NT AUTHORITY'
            - 'MSOL_'
    filter3:
        SubjectUserName|endswith: '$'
    condition: selection and not 1 of filter*
falsepositives:
    - Valid DC Sync that is not covered by the filters; please report
    - Local Domain Admin account used for Azure AD Connect
level: high