Tag
This analytic detects the addition of permissions required for a DCSync attack, specifically DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, and DS-Replication-Get-Changes-In-Filtered-Set, leveraging Windows Security Event Log 5136 to identify when these permissions are granted, which indicates potential preparation for replicating AD objects and exfiltrating sensitive data.