DCSync
Last updated
Last updated
Event ID 4662: An operation was performed on an object.
Focus on Properties.
Are you logging Object Access currently? You can find out by running: AuditPol.exe /get /category:"Object Access”
The following values are the Control Access values important to DCSync attacks:
• {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} – DS-Replication-Get-Changes
• {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} – DS-Replication-Get-Changes-All
• {89e95b76-444d-4c62-991a-0facbeda640c} – DS-Replication-Get-Changes-In-Filtered-Set
• {9923a32a-3607-11d2-b9be-0000f87a36b2} – DS-Install-Replica