Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Possible DCSync Attack

Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Sagie Dulce, Dekel PazCreated Sat Jan 0156fda488-113e-4ce9-8076-afc2457922c3application
Log Source
rpc_firewallapplication
Productrpc_firewall← raw: rpc_firewall
Categoryapplication← raw: application

Definition

Requirements: install and apply the RPC Firewall to all processes, enable DRSR UUID (e3514235-4b06-11d1-ab04-00c04fc2dcd2) for "dangerous" opcodes (not 0,1 or 12) only from trusted IPs (DCs)

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid: e3514235-4b06-11d1-ab04-00c04fc2dcd2
    filter:
        OpNum:
            - 0
            - 1
            - 12
    condition: selection and not filter
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
learn.microsoft.com
2
Resolving title…
github.com
3
Resolving title…
github.com
4
Resolving title…
zeronetworks.com
MITRE ATT&CK
Rule Metadata
Rule ID
56fda488-113e-4ce9-8076-afc2457922c3
Status
test
Level
high
Type
Detection
Created
Sat Jan 01
Author
Sagie Dulce, Dekel Paz
Path
rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml
Raw Tags
attack.t1033attack.discovery
View on GitHub