FirstTime Seen Account Performing DCSync

 1[metadata]
 2creation_date = "2022/12/19"
 3integration = ["windows"]
 4maturity = "production"
 5min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4"
 6min_stack_version = "8.4.0"
 7updated_date = "2023/02/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule identifies when a User Account starts the Active Directory Replication Process for the first time. 
13Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, 
14thus compromising the entire domain.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "FirstTime Seen Account Performing DCSync"
21note = """## Setup
22
23The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
24Steps to implement the logging policy with Advanced Audit Configuration:

 1
 2If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 3"""
 4references = [
 5    "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html",
 6    "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing",
 7    "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml",
 8    "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md",
 9    "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync",
10    "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync",
11]
12risk_score = 73
13rule_id = "5c6f4c58-b381-452a-8976-f1b1c6aa0def"
14severity = "high"
15tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory"]
16timestamp_override = "event.ingested"
17type = "new_terms"
18
19query = '''
20event.action:"Directory Service Access" and host.os.type:windows and event.code:"4662" and
21 winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or
22                               *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or
23                               *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and
24 not winlog.event_data.SubjectUserName:(*$ or MSOL_*)
25'''
26
27
28[[rule.threat]]
29framework = "MITRE ATT&CK"
30
31[[rule.threat.technique]]
32id = "T1003"
33reference = "https://attack.mitre.org/techniques/T1003/"
34name = "OS Credential Dumping"
35
36    [[rule.threat.technique.subtechnique]]
37    id = "T1003.006"
38    reference = "https://attack.mitre.org/techniques/T1003/006/"
39    name = "DCSync"
40
41
42[rule.threat.tactic]
43id = "TA0006"
44reference = "https://attack.mitre.org/tactics/TA0006/"
45name = "Credential Access"
46
47
48[rule.new_terms]
49field = "new_terms_fields"
50value = ["winlog.event_data.SubjectUserName"]
51
52[[rule.new_terms.history_window_start]]
53field = "history_window_start"
54value = "now-15d"

1Computer Configuration >
2Policies >
3Windows Settings >
4Security Settings >
5Advanced Audit Policies Configuration >
6Audit Policies >
7DS Access >
8Audit Directory Service Changes (Success,Failure)