← Back to Explore
sigmacriticalHunting
Active Directory Replication from Non Machine Account
Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
Detection Query
selection:
EventID: 4662
AccessMask: "0x100"
Properties|contains:
- 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
- 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
- 89e95b76-444d-4c62-991a-0facbeda640c
filter:
- SubjectUserName|endswith: $
- SubjectUserName|startswith: MSOL_
condition: selection and not filter
Author
Roberto Rodriguez @Cyb3rWard0g
Created
2019-07-26
Data Sources
windowssecurity
Platforms
windows
References
Tags
attack.credential-accessattack.t1003.006
Raw Content
title: Active Directory Replication from Non Machine Account
id: 17d619c1-e020-4347-957e-1d1207455c93
status: test
description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
references:
- https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html
- https://threathunterplaybook.com/library/windows/active_directory_replication.html
- https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-07-26
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.006
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
AccessMask: '0x100'
Properties|contains:
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
- '89e95b76-444d-4c62-991a-0facbeda640c'
filter:
- SubjectUserName|endswith: '$'
- SubjectUserName|startswith: 'MSOL_' # https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-accounts-permissions#ad-ds-connector-account
condition: selection and not filter
falsepositives:
- Unknown
level: critical