DCSync

Event ID 4662: An operation was performed on an object.

Focus on Properties.

Are you logging Object Access currently? You can find out by running: AuditPol.exe /get /category:"Object Access”

The following values are the Control Access values important to DCSync attacks:

• {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} – DS-Replication-Get-Changes

• {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} – DS-Replication-Get-Changes-All

• {89e95b76-444d-4c62-991a-0facbeda640c} – DS-Replication-Get-Changes-In-Filtered-Set

• {9923a32a-3607-11d2-b9be-0000f87a36b2} – DS-Install-Replica

How to Enable the Security Auditing of Active DirectoryHow-to Guides