Active Directory Replication from Non Machine Account

Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.

Sigma rule (View on GitHub)

 1title: Active Directory Replication from Non Machine Account
 2id: 17d619c1-e020-4347-957e-1d1207455c93
 3status: test
 4description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
 5references:
 6    - https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html
 7    - https://threathunterplaybook.com/library/windows/active_directory_replication.html
 8    - https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html
 9author: Roberto Rodriguez @Cyb3rWard0g
10date: 2019-07-26
11modified: 2021-11-27
12tags:
13    - attack.credential-access
14    - attack.t1003.006
15logsource:
16    product: windows
17    service: security
18detection:
19    selection:
20        EventID: 4662
21        AccessMask: '0x100'
22        Properties|contains:
23            - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
24            - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
25            - '89e95b76-444d-4c62-991a-0facbeda640c'
26    filter:
27        - SubjectUserName|endswith: '$'
28        - SubjectUserName|startswith: 'MSOL_' # https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-accounts-permissions#ad-ds-connector-account
29    condition: selection and not filter
30fields:
31    - ComputerName
32    - SubjectDomainName
33    - SubjectUserName
34falsepositives:
35    - Unknown
36level: critical

References

Related rules

to-top