DCSync
Last updated
Last updated
Event ID 4662: An operation was performed on an object.
Focus on Properties.
Are you logging Object Access currently? You can find out by running: AuditPol.exe /get /category:"Object Accessβ
The following values are the Control Access values important to DCSync attacks:
β’ {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} β DS-Replication-Get-Changes
β’ {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} β DS-Replication-Get-Changes-All
β’ {89e95b76-444d-4c62-991a-0facbeda640c} β DS-Replication-Get-Changes-In-Filtered-Set
β’ {9923a32a-3607-11d2-b9be-0000f87a36b2} β DS-Install-Replica
