title: Mimikatz DC Sync
author: Benjamin Delpy, Florian Roth, Scott Dermott
date: 2018/06/03
description: Detects Mimikatz DC sync security events
detection:
  SELECTION_1:
    EventID: 4662
  SELECTION_2:
    Properties:
    - '*Replicating Directory Changes All*'
    - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
  SELECTION_3:
    SubjectDomainName: Window Manager
  SELECTION_4:
    SubjectUserName:
    - NT AUTHORITY*
    - MSOL_*
  SELECTION_5:
    SubjectUserName: '*$'
  condition: ((((SELECTION_1 and SELECTION_2) and  not (SELECTION_3)) and  not (SELECTION_4))
    and  not (SELECTION_5))
falsepositives:
- Valid DC Sync that is not covered by the filters; please report
- Local Domain Admin account used for Azure AD Connect
id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
level: high
logsource:
  product: windows
  service: security
modified: 2021/08/09
references:
- https://twitter.com/gentilkiwi/status/1003236624925413376
- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
status: experimental
tags:
- attack.credential_access
- attack.s0002
- attack.t1003
- attack.t1003.006
ruletype: SIGMA