Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Mimikatz DC Sync

Detects Mimikatz DC sync security events

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina IonescuCreated Sun Jun 03Updated Tue Apr 26611eab06-a145-4dfa-a295-3ccc5c20f59awindows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic4 selectors
detection:
    selection:
        EventID: 4662
        Properties|contains:
            - 'Replicating Directory Changes All'
            - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
            - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
            - '9923a32a-3607-11d2-b9be-0000f87a36b2'
            - '89e95b76-444d-4c62-991a-0facbeda640c'
        AccessMask: '0x100'
    filter1:
        SubjectDomainName: 'Window Manager'
    filter2:
        SubjectUserName|startswith:
            - 'NT AUT'
            - 'MSOL_'
    filter3:
        SubjectUserName|endswith: '$'
    condition: selection and not 1 of filter*
False Positives

Valid DC Sync that is not covered by the filters; please report

Local Domain Admin account used for Azure AD Connect

References
1
Resolving title…
twitter.com
2
Resolving title…
gist.github.com
3
Resolving title…
blog.blacklanternsecurity.com
4
Resolving title…
learn.microsoft.com
MITRE ATT&CK

Sub-techniques

T1003.006 · DCSync
Rule Metadata
Rule ID
611eab06-a145-4dfa-a295-3ccc5c20f59a
Status
test
Level
high
Type
Detection
Created
Sun Jun 03
Modified
Tue Apr 26
Author
Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu
Path
rules/windows/builtin/security/win_security_dcsync.yml
Raw Tags
attack.credential-accessattack.s0002attack.t1003.006
View on GitHub