KQL Search

Query Details

HomeAI ToolsDevice Query

RULE 03 AD DC Sync Non DC Replication

Query

// =========================================================
// RULE-03 | AD-DCSync-NonDC-Replication
// Description : DCSync detection — Event 4662 showing
//               DS-Replication-Get-Changes-All (or -Get-Changes)
//               access rights exercised by a source that is NOT
//               a known Domain Controller computer account.
//               Covers Mimikatz lsadump::dcsync, secretsdump,
//               and impacket GetUserSPNs with -just-dc flag.
// Severity    : Critical (any non-DC DCSync)
// Frequency   : Every 15 minutes, look-back 15 minutes
// MITRE       : T1003.006 — DCSync
// Tables      : SecurityEvent
// NOT duplicated: Sentinel built-in "Rare DCSync Activity" fires
//               on volume; this rule fires on ANY non-DC source
//               using exact DS-Replication GUIDs.
// =========================================================

let LookBack = 15m;

// DS-Replication-Get-Changes-All GUID
let ReplicationAllGUID = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2";
// DS-Replication-Get-Changes GUID
let ReplicationGUID    = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2";

// Build dynamic DC list from this workspace (KDC-issuing machines)
let KnownDCNames = SecurityEvent
    | where TimeGenerated > ago(3d)
    | where EventID == 4768
    | summarize by DCName = toupper(Computer)
    | project DCName;

let KnownDCAccounts = SecurityEvent
    | where TimeGenerated > ago(3d)
    | where EventID == 4768
    | where TargetUserName endswith "$"
    | summarize by MachineAcct = toupper(TargetUserName);

SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID == 4662                           // Operation performed on AD object
| where ObjectType has "domainDNS"
| where AccessMask == "0x100"                     // Control Access
| where Properties has ReplicationAllGUID
    or Properties has ReplicationGUID
// Exclude actual Domain Controllers
| where not(toupper(SubjectUserName) endswith "$"
            and toupper(SubjectUserName) in~ (KnownDCAccounts))
| where not(toupper(Computer) in~ (KnownDCNames))
| extend
    ActorAccount      = strcat(SubjectDomainName, "\\", SubjectUserName),
    IsServiceAccount  = SubjectUserName endswith "$",
    ReplicationRight  = case(
        Properties has ReplicationAllGUID, "DS-Replication-Get-Changes-All (Full DCSync)",
        Properties has ReplicationGUID,    "DS-Replication-Get-Changes (Partial)",
        "Unknown Replication Right"
    )
| summarize
    DCsyncCount        = count(),
    TargetObjects      = make_set(ObjectName, 10),
    ReplicationRights  = make_set(ReplicationRight),
    EarliestEvent      = min(TimeGenerated),
    LatestEvent        = max(TimeGenerated)
    by ActorAccount, SubjectUserName, SubjectDomainName, Computer, IsServiceAccount
| extend
    Severity = "Critical",
    WhySuspicious = strcat(
        "DCSync_From_NonDC; ",
        iff(IsServiceAccount, "ServiceAccount_Source; ", "UserAccount_Source; "),
        ReplicationRights
    )
| project
    TimeGenerated    = LatestEvent,
    Severity,
    WhySuspicious,
    ActorAccount,
    Computer,
    DCsyncCount,
    ReplicationRights,
    TargetObjects,
    EarliestEvent,
    LatestEvent
| order by DCsyncCount desc

Explanation

This query is designed to detect suspicious DCSync activities in an Active Directory environment. Here's a simplified explanation:

  1. Purpose: The query identifies instances where non-Domain Controller (non-DC) accounts attempt to perform DCSync operations. DCSync is a technique used to replicate directory data, which can be exploited by attackers to extract sensitive information like password hashes.

  2. Frequency: It runs every 15 minutes and looks back over the past 15 minutes for relevant events.

  3. Severity: Any detected non-DC DCSync activity is considered critical.

  4. Detection Logic:

    • It checks for Event ID 4662, which indicates an operation performed on an Active Directory object.
    • Specifically, it looks for operations with access rights related to directory replication (using specific GUIDs).
    • It excludes known Domain Controllers by dynamically building a list of DC names and accounts from recent events (Event ID 4768).
    • It identifies suspicious activities by checking if the operation was performed by an account that is not a known DC.

  5. Output:

    • The query summarizes the findings, including the number of DCSync attempts, the accounts involved, and the objects targeted.
    • It provides details such as the earliest and latest events detected, the type of replication rights used, and whether the source account is a service account.
    • The results are ordered by the number of DCSync attempts, highlighting the most frequent offenders.

  6. Why Suspicious: The output includes a "WhySuspicious" field that explains why the activity is flagged, indicating whether the source was a service account or a user account and listing the replication rights used.

In essence, this query helps security teams identify potential unauthorized attempts to replicate directory data, which could indicate malicious activity like credential theft.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

SecurityEvent

Keywords

SecurityEventDomainControllerComputerAccountUserAccountReplicationRightEventObjectDomainNameActorAccountServiceAccountTimeGeneratedSeverity

Operators

letago()toupper()endswith()summarize byprojecthasin~extendstrcat()case()make_set()min()max()iff()summarizeorder by

Actions