DCSync

Event ID 4662: An operation was performed on an object.

Focus on Properties.

Are you logging Object Access currently? You can find out by running: AuditPol.exe /get /category:"Object Access”

The following values are the Control Access values important to DCSync attacks:

β€’ {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} – DS-Replication-Get-Changes

β€’ {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} – DS-Replication-Get-Changes-All

β€’ {89e95b76-444d-4c62-991a-0facbeda640c} – DS-Replication-Get-Changes-In-Filtered-Set

β€’ {9923a32a-3607-11d2-b9be-0000f87a36b2} – DS-Install-Replica

LogoHow to Enable the Security Auditing of Active DirectoryHow-to Guides
PreviousHacktool ArtifactsNextImpackets

Last updated