sigma-rules/rules/windows/credential_access_dcsync_newterm_subjectuser.toml

[metadata]
creation_date = "2022/12/19"
integration = ["windows"]
maturity = "production"
min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4"
min_stack_version = "8.4.0"
updated_date = "2023/02/22"

[rule]
author = ["Elastic"]
description = """
This rule identifies when a User Account starts the Active Directory Replication Process for the first time. 
Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, 
thus compromising the entire domain.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
language = "kuery"
license = "Elastic License v2"
name = "FirstTime Seen Account Performing DCSync"
note = """## Setup

The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
Steps to implement the logging policy with Advanced Audit Configuration:

```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
DS Access >
Audit Directory Service Changes (Success,Failure)
```

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
references = [
    "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html",
    "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing",
    "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml",
    "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md",
    "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync",
    "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync",
]
risk_score = 73
rule_id = "5c6f4c58-b381-452a-8976-f1b1c6aa0def"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory"]
timestamp_override = "event.ingested"
type = "new_terms"

query = '''
event.action:"Directory Service Access" and host.os.type:windows and event.code:"4662" and
 winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or
                               *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or
                               *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and
 not winlog.event_data.SubjectUserName:(*$ or MSOL_*)
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1003"
reference = "https://attack.mitre.org/techniques/T1003/"
name = "OS Credential Dumping"

    [[rule.threat.technique.subtechnique]]
    id = "T1003.006"
    reference = "https://attack.mitre.org/techniques/T1003/006/"
    name = "DCSync"


[rule.threat.tactic]
id = "TA0006"
reference = "https://attack.mitre.org/tactics/TA0006/"
name = "Credential Access"


[rule.new_terms]
field = "new_terms_fields"
value = ["winlog.event_data.SubjectUserName"]

[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-15d"