KQL Search

Query Details

HomeAI ToolsDevice Query

RULE 28 AD Exchange Write DACL DC Sync

Query

// =========================================================
// RULE-28 | AD-Exchange-WriteDACL-DCSync
// Description : Exchange Trusted Subsystem WriteDACL → DCSync
//               escalation (PrivExchange chain) detection.
//               Event 5136 showing DS-Replication-Get-Changes
//               or DS-Replication-Get-Changes-All rights
//               granted on the domain root object, where the
//               writing account is a member of
//               "Exchange Windows Permissions" or
//               "Exchange Trusted Subsystem".
//               The Exchange Trusted Subsystem group has
//               WriteDACL on the domain root by default.
//               By relaying Exchange server NTLM auth to LDAP
//               (PrivExchange), an attacker can grant DCSync
//               rights to themselves — then dump all hashes.
// Severity    : Critical
// Frequency   : Every 15 minutes, look-back 15 minutes
// MITRE       : T1003.006 — DCSync
//               T1078      — Valid Accounts
// Tables      : SecurityEvent
// =========================================================

let LookBack = 15m;

// Replication GUIDs that grant DCSync capability
let ReplicateAllGUID = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2";
let ReplicateGUID    = "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2";

// Exchange-related group members (recent adds)
let ExchangeGroupMembers = SecurityEvent
    | where TimeGenerated > ago(30d)
    | where EventID in (4728, 4732, 4756)
    | where TargetUserName has_any (
        "Exchange Windows Permissions",
        "Exchange Trusted Subsystem",
        "Organization Management",
        "Exchange Servers"
    )
    | summarize by ExchangeMember = tolower(MemberName),
                   ExchangeGroup  = TargetUserName;

// DCSync rights granted on domain root
SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID == 5136
| where ObjectClass =~ "domainDNS"
| where OperationType == "%%14674"             // Value written (ACE added)
| where AttributeValue has_any(ReplicateAllGUID, ReplicateGUID)
| extend
    ActorNorm  = tolower(SubjectUserName),
    ActorAcct  = strcat(SubjectDomainName, "\\", SubjectUserName)
// Correlate: actor is an Exchange group member
| join kind=inner (ExchangeGroupMembers) on $left.ActorNorm == $right.ExchangeMember
| extend
    Severity = "Critical",
    WhySuspicious = strcat(
        "Exchange_WriteDACL_DCSync_PrivExchange_Chain; ",
        "Exchange_Group: ", ExchangeGroup, "; ",
        "DCSync_Right_Granted_By: ", ActorAcct, "; ",
        "Target_Object: ", ObjectDN, "; ",
        "Right: ", case(
            AttributeValue has ReplicateAllGUID,
            "DS-Replication-Get-Changes-All (Full DCSync)",
            "DS-Replication-Get-Changes"
        )
    )
| project
    TimeGenerated,
    Severity,
    WhySuspicious,
    ActorAcct,
    ExchangeGroup,
    ObjectDN,
    Computer,
    SubjectUserName,
    SubjectDomainName
| order by TimeGenerated desc

Explanation

This query is designed to detect a specific security threat involving Microsoft Exchange servers and Active Directory. Here's a simplified explanation:

  1. Purpose: The query aims to identify potential unauthorized access where an attacker might exploit Exchange server permissions to gain domain controller synchronization (DCSync) rights. This could allow them to extract sensitive data like password hashes.

  2. Threat Context:

    • PrivExchange Chain: An attacker could relay Exchange server authentication to grant themselves DCSync rights.
    • DCSync Rights: These rights allow an entity to replicate directory data, which can be used to extract all user password hashes from Active Directory.

  3. Detection Mechanism:

    • Event Monitoring: It looks for specific security events (Event ID 5136) that indicate changes to directory permissions, specifically those granting DCSync capabilities.
    • Exchange Group Members: It checks if the account making these changes is part of certain Exchange-related groups, which have elevated permissions by default.

  4. Technical Details:

    • Look-back Period: The query examines events from the last 15 minutes, running every 15 minutes.
    • Replication GUIDs: It identifies changes involving specific GUIDs that are associated with DCSync rights.
    • Correlating Data: It cross-references accounts making these changes with those recently added to Exchange groups.

  5. Output:

    • The query generates a list of suspicious activities, highlighting the severity as "Critical" and providing details on why the activity is suspicious, including which Exchange group was involved and the rights granted.

  6. Security Framework:

    • The query aligns with MITRE ATT&CK techniques T1003.006 (DCSync) and T1078 (Valid Accounts), indicating its relevance to known attack methods.

In essence, this query is a security measure to detect and alert on potential misuse of Exchange server permissions that could lead to a significant security breach in an organization's Active Directory environment.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

SecurityEvent

Keywords

SecurityEventExchangeDCSyncDomainActorAccountComputerUserNameDomainNameObjectClassOperationTypeAttributeValueMemberNameGroupName

Operators

letagoinhas_anysummarize bytolowerwhere===~extendstrcatjoin kind=inneroncaseprojectorder bydesc

Actions