← Library
kqlElastic-2.0from elastic/detection-rules

Potential Active Directory Replication Account Backdoor

Quality
92
FP risk
Forks
0
Views
0
ATT&CK techniques
T1003T1003.006T1098
Rule sourcerules/windows/credential_access_dcsync_user_backdoor.toml
event.code:"5136" and host.os.type:"windows" and
  winlog.event_data.AttributeLDAPDisplayName:"nTSecurityDescriptor" and
  winlog.event_data.AttributeValue : (
    (
      *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and
      *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and
      *89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-*
    )
  )