
Summary
The detection rule is focused on identifying potential DCSync or DCShadow attacks by monitoring remote RPC calls to the Microsoft Directory Replication Service (MS-DRSR) from non-Domain Controller (DC) hosts. As DCSync attacks allow an attacker to impersonate a domain controller by requesting the password hashes of user accounts, it's crucial to monitor such activities closely. The rule leverages the RPC Firewall, specifically requiring the installation and application of this security measure across processes, coupled with enabling the DRSR UUID for risky operations while restricting them to trusted IPs (notably the DCs). A specific EventLog 'RPCFW' is used for logging, detecting activities based on EventID 3 and the corresponding UUID for MS-DRSR, filtering out harmless operations (OpNum 0, 1, and 12) to minimize false positives. This approach is important for maintaining a secure Active Directory environment and responding to unauthorized attempts to replicate or modify AD objects.
Categories
- Windows
- Network
- Identity Management
Data Sources
- Application Log
- Network Traffic
Created: 2022-01-01