← Back to Explore
sigmahighHunting
Mimikatz DC Sync
Detects Mimikatz DC sync security events
Detection Query
selection:
EventID: 4662
Properties|contains:
- Replicating Directory Changes All
- 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
- 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
- 9923a32a-3607-11d2-b9be-0000f87a36b2
- 89e95b76-444d-4c62-991a-0facbeda640c
AccessMask: "0x100"
filter1:
SubjectDomainName: Window Manager
filter2:
SubjectUserName|startswith:
- NT AUT
- MSOL_
filter3:
SubjectUserName|endswith: $
condition: selection and not 1 of filter*
Author
Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu
Created
2018-06-03
Data Sources
windowssecurity
Platforms
windows
References
- https://twitter.com/gentilkiwi/status/1003236624925413376
- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
- https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662
Tags
attack.credential-accessattack.s0002attack.t1003.006
Raw Content
title: Mimikatz DC Sync
id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
status: test
description: Detects Mimikatz DC sync security events
references:
- https://twitter.com/gentilkiwi/status/1003236624925413376
- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
- https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662
author: Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu
date: 2018-06-03
modified: 2022-04-26
tags:
- attack.credential-access
- attack.s0002
- attack.t1003.006
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
Properties|contains:
- 'Replicating Directory Changes All'
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '9923a32a-3607-11d2-b9be-0000f87a36b2'
- '89e95b76-444d-4c62-991a-0facbeda640c'
AccessMask: '0x100'
filter1:
SubjectDomainName: 'Window Manager'
filter2:
SubjectUserName|startswith:
- 'NT AUT'
- 'MSOL_'
filter3:
SubjectUserName|endswith: '$'
condition: selection and not 1 of filter*
falsepositives:
- Valid DC Sync that is not covered by the filters; please report
- Local Domain Admin account used for Azure AD Connect
level: high