FirstTime Seen Account Performing DCSync

This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/12/19"
 3integration = ["windows"]
 4maturity = "production"
 5min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4"
 6min_stack_version = "8.4.0"
 7updated_date = "2024/01/29"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule identifies when a User Account starts the Active Directory Replication Process for the first time. 
13Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, 
14thus compromising the entire domain.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "FirstTime Seen Account Performing DCSync"
21note = """## Triage and analysis
22
23### Investigating FirstTime Seen Account Performing DCSync
24
25Active Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.
26
27Active Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.
28
29Adversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys that are used legitimately for creating tickets, but also for forging tickets by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.
30
31More details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).
32
33This rule monitors for when a Windows Event ID 4662 (Operation was performed on an Active Directory object) with the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set) is seen in the environment for the first time in the last 15 days.
34
35#### Possible investigation steps
36
37- Identify the user account that performed the action and whether it should perform this kind of action.
38- Contact the account and system owners and confirm whether they are aware of this activity.
39- Investigate other alerts associated with the user/host during the past 48 hours.
40- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.
41- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).
42
43### False positive analysis
44
45- Administrators may use custom accounts on Azure AD Connect; investigate if this is part of a new Azure AD account setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.
46- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. Investigate if this is part of a new product setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.
47
48### Response and remediation
49
50- Initiate the incident response process based on the outcome of the triage.
51- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
52- If the entire domain or the `krbtgt` user was compromised:
53  - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.
54- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.
55- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
56- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
57
58"""
59references = [
60    "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html",
61    "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing",
62    "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml",
63    "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md",
64    "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync",
65    "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync",
66]
67risk_score = 73
68rule_id = "5c6f4c58-b381-452a-8976-f1b1c6aa0def"
69setup="""
70
71The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).
72Steps to implement the logging policy with Advanced Audit Configuration:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > DS Access > Audit Directory Service Access (Success,Failure)

 1"""
 2severity = "high"
 3tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Resources: Investigation Guide"]
 4timestamp_override = "event.ingested"
 5type = "new_terms"
 6
 7query = '''
 8event.action:("Directory Service Access" or "object-operation-performed") and event.code:"4662" and
 9 winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or
10                               *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or
11                               *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and
12 not winlog.event_data.SubjectUserName:(*$ or MSOL_*)
13'''
14
15
16[[rule.threat]]
17framework = "MITRE ATT&CK"
18
19[[rule.threat.technique]]
20id = "T1003"
21reference = "https://attack.mitre.org/techniques/T1003/"
22name = "OS Credential Dumping"
23
24    [[rule.threat.technique.subtechnique]]
25    id = "T1003.006"
26    reference = "https://attack.mitre.org/techniques/T1003/006/"
27    name = "DCSync"
28
29
30[rule.threat.tactic]
31id = "TA0006"
32reference = "https://attack.mitre.org/tactics/TA0006/"
33name = "Credential Access"
34
35[[rule.threat]]
36framework = "MITRE ATT&CK"
37
38[[rule.threat.technique]]
39id = "T1078"
40name = "Valid Accounts"
41reference = "https://attack.mitre.org/techniques/T1078/"
42[[rule.threat.technique.subtechnique]]
43id = "T1078.002"
44name = "Domain Accounts"
45reference = "https://attack.mitre.org/techniques/T1078/002/"
46
47
48
49[rule.threat.tactic]
50id = "TA0004"
51name = "Privilege Escalation"
52reference = "https://attack.mitre.org/tactics/TA0004/"
53
54[rule.new_terms]
55field = "new_terms_fields"
56value = ["winlog.event_data.SubjectUserName"]
57
58[[rule.new_terms.history_window_start]]
59field = "history_window_start"
60value = "now-15d"

Triage and analysis

Investigating FirstTime Seen Account Performing DCSync

Active Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.

Active Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.

Adversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys that are used legitimately for creating tickets, but also for forging tickets by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.

More details can be found on Threat Hunter Playbook and The Hacker Recipes.

This rule monitors for when a Windows Event ID 4662 (Operation was performed on an Active Directory object) with the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set) is seen in the environment for the first time in the last 15 days.

Possible investigation steps

  • Identify the user account that performed the action and whether it should perform this kind of action.
  • Contact the account and system owners and confirm whether they are aware of this activity.
  • Investigate other alerts associated with the user/host during the past 48 hours.
  • Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (winlog.logon.id) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.
  • Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).

False positive analysis

  • Administrators may use custom accounts on Azure AD Connect; investigate if this is part of a new Azure AD account setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.
  • Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. Investigate if this is part of a new product setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.

Response and remediation

  • Initiate the incident response process based on the outcome of the triage.
  • Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
  • If the entire domain or the krbtgt user was compromised:
    • Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the krbtgt user.
  • Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.
  • Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
  • Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).

References

Related rules

to-top