Detects unauthorized invocation of replication operations (DCSync) via Directory Replication Service (DRS), often executed by threat actors using Mimikatz or similar tools from non-DC endpoints.
| Data Component | Name | Channel |
|---|---|---|
| Active Directory Object Access (DC0071) | WinEventLog:Security | EventCode=4662 |
| Active Directory Object Deletion (DC0068) | WinEventLog:DirectoryService | EventCode=4929 |
| Network Traffic Content (DC0085) | NSM:Content | Traffic on RPC DRSUAPI |
| Field | Description |
|---|---|
| TimeWindow | Defines the correlation window for unusual account access followed by DRSUAPI traffic. |
| UserContext | Allows tuning for specific accounts known to legitimately request replication. |
| SourceIP | Expected replication should only come from known DCs; this field allows excluding trusted DCs. |