Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Non Domain Controller Active Directory Replication

Non Domain Controller Active Directory Replication

Back
Idb9d2eebc-5dcb-4888-8165-900db44443ab
RulenameNon Domain Controller Active Directory Replication
DescriptionThis query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).

A Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.

A domain user with privileged permissions to use directory replication services is rare.
SeverityHigh
TacticsCredentialAccess
TechniquesT1003.006
Required data connectorsSecurityEvents
WindowsSecurityEvents
KindScheduled
Query frequency1d
Query period7d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/NonDCActiveDirectoryReplication.yaml
Version1.0.6
Arm templateb9d2eebc-5dcb-4888-8165-900db44443ab.json
Deploy To Azure
// Enter a reference list of hostnames for your DC servers
//let DCServersList = dynamic (["DC01.simulandlabs.com","DC02.simulandlabs.com"]);
SecurityEvent
//| where Computer in (DCServersList)
| where EventID == 4662 and ObjectServer == 'DS'
| where AccountType != 'Machine'
| where Properties has '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' //DS-Replication-Get-Changes
    or Properties has '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' //DS-Replication-Get-Changes-All
    or Properties has '89e95b76-444d-4c62-991a-0facbeda640c' //DS-Replication-Get-Changes-In-Filtered-Set
| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer
| join kind=leftouter
(
    SecurityEvent
    //| where Computer in (DCServersList)
    | where EventID == 4624 and LogonType == 3
    | where AccountType != 'Machine'
    | project TargetLogonId, IpAddress, Computer
)
on $left.SubjectLogonId == $right.TargetLogonId and $left.Computer == $right.Computer
| project-reorder TimeGenerated, Computer, Account, IpAddress
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountNTDomain = tostring(split(Account, "\\")[0]), AccountName = tostring(split(Account, "\\")[1])

triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: Account
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountNTDomain
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: NTDomain
    columnName: HostNameDomain
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IpAddress
requiredDataConnectors:
- dataTypes:
  - SecurityEvent
  connectorId: SecurityEvents
- dataTypes:
  - SecurityEvent
  connectorId: WindowsSecurityEvents
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/NonDCActiveDirectoryReplication.yaml
name: Non Domain Controller Active Directory Replication
relevantTechniques:
- T1003.006
status: Available
version: 1.0.6
queryPeriod: 7d
kind: Scheduled
id: b9d2eebc-5dcb-4888-8165-900db44443ab
query: |
  // Enter a reference list of hostnames for your DC servers
  //let DCServersList = dynamic (["DC01.simulandlabs.com","DC02.simulandlabs.com"]);
  SecurityEvent
  //| where Computer in (DCServersList)
  | where EventID == 4662 and ObjectServer == 'DS'
  | where AccountType != 'Machine'
  | where Properties has '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' //DS-Replication-Get-Changes
      or Properties has '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' //DS-Replication-Get-Changes-All
      or Properties has '89e95b76-444d-4c62-991a-0facbeda640c' //DS-Replication-Get-Changes-In-Filtered-Set
  | project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer
  | join kind=leftouter
  (
      SecurityEvent
      //| where Computer in (DCServersList)
      | where EventID == 4624 and LogonType == 3
      | where AccountType != 'Machine'
      | project TargetLogonId, IpAddress, Computer
  )
  on $left.SubjectLogonId == $right.TargetLogonId and $left.Computer == $right.Computer
  | project-reorder TimeGenerated, Computer, Account, IpAddress
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend AccountNTDomain = tostring(split(Account, "\\")[0]), AccountName = tostring(split(Account, "\\")[1])  
description: |
  'This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).
  A Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.
  A domain user with privileged permissions to use directory replication services is rare.'  
queryFrequency: 1d
severity: High
triggerOperator: gt
tactics:
- CredentialAccess