Windows AD Domain Replication ACL Addition

name: Windows AD Domain Replication ACL Addition
id: 8c372853-f459-4995-afdc-280c114d33ab
version: 14
creation_date: '2022-11-17'
modification_date: '2026-05-13'
author: Dean Luxton
status: production
type: TTP
description: The following analytic detects the addition of permissions required for a DCSync attack, specifically DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, and DS-Replication-Get-Changes-In-Filtered-Set. It leverages EventCode 5136 from the Windows Security Event Log to identify when these permissions are granted. This activity is significant because it indicates potential preparation for a DCSync attack, which can be used to replicate AD objects and exfiltrate sensitive data. If confirmed malicious, an attacker could gain extensive access to Active Directory, leading to severe data breaches and privilege escalation.
data_source:
    - Windows Event Log Security 5136
search: |-
    `wineventlog_security` EventCode=5136 ObjectClass=domainDNS
      | stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType
          BY ObjectClass ObjectDN OpCorrelationID
          src_user SubjectLogonId dest
      | rex field=old_value max_match=10000 "\((?P<old_values>.*?)\)"
      | rex field=new_value max_match=10000 "\((?P<new_ace>.*?)\)"
      | mvexpand new_ace
      | where NOT new_ace IN (old_values)
      | rex field=new_ace "(?P<aceType>.*?);(?P<aceFlags>.*?);(?P<aceAccessRights>.*?);(?P<aceObjectGuid>.*?);;(?P<aceSid>.*?)$"
      | search aceObjectGuid IN ("1131f6aa-9c07-11d1-f79f-00c04fc2dcd2","1131f6ad-9c07-11d1-f79f-00c04fc2dcd2","89e95b76-444d-4c62-991a-0facbeda640c")
      | rex max_match=100 field=aceAccessRights "(?P<AccessRights>[A-Z]{2})"
      | rex max_match=100 field=aceFlags "(?P<aceFlags>[A-Z]{2})"
      | lookup msad_guid_lookup guid as aceObjectGuid OUTPUT displayName as ControlAccessRights
      | lookup ace_access_rights_lookup access_rights_string as AccessRights OUTPUT access_rights_value
      | lookup ace_type_lookup ace_type_string as aceType OUTPUT ace_type_value
      | lookup ace_flag_lookup flag_string as aceFlags OUTPUT flag_value as ace_flag_value
      | lookup builtin_groups_lookup builtin_group_string as aceSid OUTPUT builtin_group_name as builtin_group
      | eval aceType=coalesce(ace_type_value,aceType), aceFlags=coalesce(ace_flag_value,"This object only"), aceAccessRights=if(aceAccessRights="CCDCLCSWRPWPDTLOCRSDRCWDWO","Full control",coalesce(access_rights_value,AccessRights)), aceControlAccessRights=coalesce(ControlAccessRights,aceObjectGuid), user=coalesce(user, group, builtin_group, aceSid)
      | stats min(_time) as _time values(aceType) as aceType values(aceFlags) as aceFlags(inheritance) values(aceControlAccessRights) as aceControlAccessRights values(aceAccessRights) as aceAccessRights values(new_ace) as new_ace values(SubjectLogonId) as SubjectLogonId
          BY ObjectClass ObjectDN src_user dest user
      | search (aceControlAccessRights="Replicating Directory Changes" AND aceControlAccessRights="Replicating Directory Changes All") OR (aceControlAccessRights="1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" AND aceControlAccessRights="1131f6ad-9c07-11d1-f79f-00c04fc2dcd2")
      | `windows_ad_domain_replication_acl_addition_filter`
how_to_implement: To successfully implement this search, you need to be ingesting the eventcode 5136. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to  `Write All Properties` applied to the domain root and all descendant objects. Once the necessary logging has been enabled, enumerate the domain policy to verify if existing accounts with access need to be whitelisted, or revoked. Assets and Identities is also leveraged to automatically translate the objectSid into username. Ensure your identities lookup is configured with the sAMAccountName and objectSid of all AD user and computer objects.
known_false_positives: When there is a change to nTSecurityDescriptor, Windows logs the entire ACL with the newly added components. If existing accounts are present with this permission, they will raise an alert each time the nTSecurityDescriptor is updated unless whitelisted.
references:
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb
    - https://github.com/SigmaHQ/sigma/blob/29a5c62784faf986dc03952ae3e90e3df3294284/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml
    - https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory
drilldown_searches:
    - name: View the detection results for - "$user$" and "$src_user$"
      search: '%original_detection_search% | search  user = "$user$" src_user = "$src_user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$" and "$src_user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: $src_user$ has granted $user$ permission to replicate AD objects
    entity:
        field: src_user
        type: user
        score: 50
intermediate_findings:
    entities:
        - field: user
          type: user
          score: 50
          message: $src_user$ has granted $user$ permission to replicate AD objects
analytic_story:
    - Compromised Windows Host
    - Sneaky Active Directory Persistence Tricks
asset_type: Endpoint
mitre_attack_id:
    - T1484
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/aclmodification/windows-security-xml.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog
      description: PORTED MANUAL TEST - This search uses a lookup provided by Enterprise Security and needs to be manually tested.
      test_type: experimental