Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Non Domain Controller Active Directory Replication

Back
Idb9d2eebc-5dcb-4888-8165-900db44443ab
RulenameNon Domain Controller Active Directory Replication
DescriptionThis query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).

A Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.

A domain user with privileged permissions to use directory replication services is rare.
SeverityHigh
TacticsCredentialAccess
TechniquesT1003
Required data connectorsSecurityEvents
WindowsSecurityEvents
KindScheduled
Query frequency1d
Query period7d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/NonDCActiveDirectoryReplication.yaml
Version1.0.4
Arm templateb9d2eebc-5dcb-4888-8165-900db44443ab.json
Deploy To Azure
// Enter a reference list of hostnames for your DC servers
//let DCServersList = dynamic (["DC01.simulandlabs.com","DC02.simulandlabs.com"]);
SecurityEvent
//| where Computer in (DCServersList)
| where EventID == 4662 and ObjectServer == 'DS'
| where AccountType != 'Machine'
| where Properties has '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' //DS-Replication-Get-Changes
    or Properties has '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' //DS-Replication-Get-Changes-All
    or Properties has '89e95b76-444d-4c62-991a-0facbeda640c' //DS-Replication-Get-Changes-In-Filtered-Set
| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer
| join kind=leftouter
(
    SecurityEvent
    //| where Computer in (DCServersList)
    | where EventID == 4624 and LogonType == 3
    | where AccountType != 'Machine'
    | project TargetLogonId, IpAddress
)
on $left.SubjectLogonId == $right.TargetLogonId
| project-reorder TimeGenerated, Computer, Account, IpAddress
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(Account, "\\")[0]), AccountNTDomain = tostring(split(Account, "\\")[1])
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: Account
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountNTDomain
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: NTDomain
    columnName: HostNameDomain
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IpAddress
queryFrequency: 1d
name: Non Domain Controller Active Directory Replication
severity: High
kind: Scheduled
tactics:
- CredentialAccess
triggerThreshold: 0
query: |
  // Enter a reference list of hostnames for your DC servers
  //let DCServersList = dynamic (["DC01.simulandlabs.com","DC02.simulandlabs.com"]);
  SecurityEvent
  //| where Computer in (DCServersList)
  | where EventID == 4662 and ObjectServer == 'DS'
  | where AccountType != 'Machine'
  | where Properties has '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' //DS-Replication-Get-Changes
      or Properties has '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' //DS-Replication-Get-Changes-All
      or Properties has '89e95b76-444d-4c62-991a-0facbeda640c' //DS-Replication-Get-Changes-In-Filtered-Set
  | project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer
  | join kind=leftouter
  (
      SecurityEvent
      //| where Computer in (DCServersList)
      | where EventID == 4624 and LogonType == 3
      | where AccountType != 'Machine'
      | project TargetLogonId, IpAddress
  )
  on $left.SubjectLogonId == $right.TargetLogonId
  | project-reorder TimeGenerated, Computer, Account, IpAddress
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend AccountName = tostring(split(Account, "\\")[0]), AccountNTDomain = tostring(split(Account, "\\")[1])  
triggerOperator: gt
queryPeriod: 7d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/NonDCActiveDirectoryReplication.yaml
relevantTechniques:
- T1003
status: Available
id: b9d2eebc-5dcb-4888-8165-900db44443ab
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
version: 1.0.4
description: |
  'This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).
  A Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.
  A domain user with privileged permissions to use directory replication services is rare.'  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b9d2eebc-5dcb-4888-8165-900db44443ab')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b9d2eebc-5dcb-4888-8165-900db44443ab')]",
      "properties": {
        "alertRuleTemplateName": "b9d2eebc-5dcb-4888-8165-900db44443ab",
        "customDetails": null,
        "description": "'This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\nA domain user with privileged permissions to use directory replication services is rare.'\n",
        "displayName": "Non Domain Controller Active Directory Replication",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Account",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountNTDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "HostNameDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IpAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/NonDCActiveDirectoryReplication.yaml",
        "query": "// Enter a reference list of hostnames for your DC servers\n//let DCServersList = dynamic ([\"DC01.simulandlabs.com\",\"DC02.simulandlabs.com\"]);\nSecurityEvent\n//| where Computer in (DCServersList)\n| where EventID == 4662 and ObjectServer == 'DS'\n| where AccountType != 'Machine'\n| where Properties has '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' //DS-Replication-Get-Changes\n    or Properties has '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' //DS-Replication-Get-Changes-All\n    or Properties has '89e95b76-444d-4c62-991a-0facbeda640c' //DS-Replication-Get-Changes-In-Filtered-Set\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\n| join kind=leftouter\n(\n    SecurityEvent\n    //| where Computer in (DCServersList)\n    | where EventID == 4624 and LogonType == 3\n    | where AccountType != 'Machine'\n    | project TargetLogonId, IpAddress\n)\non $left.SubjectLogonId == $right.TargetLogonId\n| project-reorder TimeGenerated, Computer, Account, IpAddress\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n| extend AccountName = tostring(split(Account, \"\\\\\")[0]), AccountNTDomain = tostring(split(Account, \"\\\\\")[1])\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P7D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1003"
        ],
        "templateVersion": "1.0.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}