Query Details

RULE 28 AD Exchange Write DACL DC Sync

Query

// =========================================================
// RULE-28 | AD-Exchange-WriteDACL-DCSync
// Description : Exchange Trusted Subsystem WriteDACL → DCSync
//               escalation (PrivExchange chain) detection.
//               Event 5136 showing DS-Replication-Get-Changes
//               or DS-Replication-Get-Changes-All rights
//               granted on the domain root object, where the
//               writing account is a member of
//               "Exchange Windows Permissions" or
//               "Exchange Trusted Subsystem".
//               The Exchange Trusted Subsystem group has
//               WriteDACL on the domain root by default.
//               By relaying Exchange server NTLM auth to LDAP
//               (PrivExchange), an attacker can grant DCSync
//               rights to themselves — then dump all hashes.
// Severity    : Critical
// Frequency   : Every 15 minutes, look-back 15 minutes
// MITRE       : T1003.006 — DCSync
//               T1078      — Valid Accounts
// Tables      : SecurityEvent
// =========================================================

let LookBack = 15m;

// Replication GUIDs that grant DCSync capability
let ReplicateAllGUID = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2";
let ReplicateGUID    = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2";

// Exchange-related group members (recent adds)
let ExchangeGroupMembers = SecurityEvent
    | where TimeGenerated > ago(30d)
    | where EventID in (4728, 4732, 4756)
    | where TargetUserName has_any (
        "Exchange Windows Permissions",
        "Exchange Trusted Subsystem",
        "Organization Management",
        "Exchange Servers"
    )
    | summarize by ExchangeMember = tolower(MemberName),
                   ExchangeGroup  = TargetUserName;

// DCSync rights granted on domain root
SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID == 5136
| where ObjectClass =~ "domainDNS"
| where OperationType == "%%14674"             // Value written (ACE added)
| where AttributeValue has_any(ReplicateAllGUID, ReplicateGUID)
| extend
    ActorNorm  = tolower(SubjectUserName),
    ActorAcct  = strcat(SubjectDomainName, "\\", SubjectUserName)
// Correlate: actor is an Exchange group member
| join kind=inner (ExchangeGroupMembers) on $left.ActorNorm == $right.ExchangeMember
| extend
    Severity = "Critical",
    WhySuspicious = strcat(
        "Exchange_WriteDACL_DCSync_PrivExchange_Chain; ",
        "Exchange_Group: ", ExchangeGroup, "; ",
        "DCSync_Right_Granted_By: ", ActorAcct, "; ",
        "Target_Object: ", ObjectDN, "; ",
        "Right: ", case(
            AttributeValue has ReplicateAllGUID,
            "DS-Replication-Get-Changes-All (Full DCSync)",
            "DS-Replication-Get-Changes"
        )
    )
| project
    TimeGenerated,
    Severity,
    WhySuspicious,
    ActorAcct,
    ExchangeGroup,
    ObjectDN,
    Computer,
    SubjectUserName,
    SubjectDomainName
| order by TimeGenerated desc

Explanation

This query is designed to detect a specific security threat related to Microsoft Exchange servers. Here's a simplified explanation:

  1. Purpose: The query aims to identify potential unauthorized access to sensitive data in an Active Directory environment by detecting when certain permissions are granted that could allow an attacker to replicate directory data (a technique known as DCSync).

  2. Context: The detection focuses on a scenario where an attacker might exploit the Exchange Trusted Subsystem to gain DCSync rights, which could then be used to extract password hashes from the domain controller.

  3. How it Works:

    • Look-Back Period: The query checks events from the last 15 minutes.
    • Key Events: It looks for Event ID 5136, which indicates changes to directory permissions, specifically when DCSync rights are granted.
    • Exchange Group Members: It identifies recent members added to Exchange-related groups, such as "Exchange Windows Permissions" or "Exchange Trusted Subsystem", over the past 30 days.
    • Correlation: The query correlates these group members with the accounts that have granted DCSync rights, indicating a potential security breach.
    • Output: If a match is found, it flags the event as "Critical" and provides details about the suspicious activity, including the actor's account, the Exchange group involved, and the specific rights granted.
  4. Severity: The detection is marked as "Critical" due to the high risk associated with unauthorized DCSync rights.

  5. Frequency: The query runs every 15 minutes to ensure timely detection of any suspicious activities.

Overall, this query is part of a security monitoring strategy to detect and respond to potential privilege escalation and data exfiltration attempts in an Active Directory environment.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

SecurityEvent

Keywords

SecurityEventDomainDNSExchangeWindowsPermissionsTrustedSubsystemOrganizationManagementServersMemberNameTargetUserNameSubjectUserNameSubjectDomainNameObjectDNComputer

Operators

letago()inhas_anysummarize bytolower()where===~extendstrcat()join kind=inneroncase()projectorder bydesc

MITRE Techniques

Actions

GitHub