Non Domain Controller Active Directory Replication

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS). A Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times. A domain user with privileged permissions to use directory replication services is rare.

Attribute	Value
Type	Analytic Rule
Solution	Windows Security Events
ID	b9d2eebc-5dcb-4888-8165-900db44443ab
Severity	High
Status	Available
Kind	Scheduled
Tactics	CredentialAccess
Techniques	T1003.006
Required Connectors	SecurityEvents, WindowsSecurityEvents
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
SecurityEvent	EventID in "4624,4662"	✓	✓	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules · Back to Windows Security Events