SigmaHQ/rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml

title: Dumping ntds.dit remotely via DCSync
id: 51238c62-2b29-4539-ad75-e94575368a12
description: ntds.dit retrieving using synchronisation with legitimate domain controller using Directory Replication Service Remote Protocol
author: Teymur Kheirkhabarov, oscd.community
date: 2019/10/24
modified: 2019/11/13
references:
    - https://twitter.com/gentilkiwi/status/1003236624925413376
    - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
tags:
    - attack.credential_access
    - attack.t1003
logsource:
    product: windows
    service: security
detection:
    selection1:
        EventID: 4624
        ComputerName: '%DomainControllersNamesList%'
    selection2:
        IpAddress: '%DomainControllersIpsList%'
    selection3:
        EventID: 4662
        ComputerName: '%DomainControllersNamesList%'
        SubjectLogonId: '%SuspiciousTargetLogonIdList%'
        Properties|contains: 
            - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
            - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
    condition: write TargetLogonId from selection1 (if not selection2) to list %SuspiciousTargetLogonIdList%; then if selection3 -> alert
falsepositives:
    - Legitimate administrator adding new domain controller to already existing domain
level: medium
status: experimental