title: Mimikatz DC Sync
author: Benjamin Delpy, Florian Roth, Scott Dermott
date: 2018/06/03
description: Detects Mimikatz DC sync security events
detection:
    SELECTION_1:
        EventID: 4662
    SELECTION_2:
        Properties: '*Replicating Directory Changes All*'
    SELECTION_3:
        Properties: '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
    SELECTION_4:
        SubjectDomainName: Window Manager
    SELECTION_5:
        SubjectUserName: NT AUTHORITY*
    SELECTION_6:
        SubjectUserName: MSOL_*
    SELECTION_7:
        SubjectUserName: '*$'
    condition: ((((SELECTION_1 and (SELECTION_2 or SELECTION_3)) and  not (SELECTION_4))
        and  not ((SELECTION_5 or SELECTION_6))) and  not (SELECTION_7))
falsepositives:
- Valid DC Sync that is not covered by the filters; please report
- Local Domain Admin account used for Azure AD Connect
id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
level: high
logsource:
    product: windows
    service: security
modified: 2021/08/09
references:
- https://twitter.com/gentilkiwi/status/1003236624925413376
- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
status: experimental
tags:
- attack.credential_access
- attack.s0002
- attack.t1003
- attack.t1003.006
yml_filename: win_dcsync.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin