{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attack.t1484/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Active Directory","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["attack.persistence","attack.privilege_escalation","attack.t1484","windows","active-directory"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection identifies the addition of specific permissions related to AD domain replication, which are often abused in DCSync attacks. A DCSync attack allows an attacker to retrieve password hashes from the Active Directory database, granting them complete control over the domain. The detection focuses on Event ID 5136, which logs changes to Active Directory objects, specifically when the permissions \u0026ldquo;DS-Replication-Get-Changes\u0026rdquo;, \u0026ldquo;DS-Replication-Get-Changes-All\u0026rdquo;, and \u0026ldquo;DS-Replication-Get-Changes-In-Filtered-Set\u0026rdquo; are added to a principal. This activity is a strong indicator of an attacker preparing to perform a DCSync attack. Successful exploitation can lead to widespread privilege escalation and data breaches within the organization\u0026rsquo;s Active Directory environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system within the target network, possibly through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to a level sufficient to modify Active Directory object permissions. This may involve exploiting local vulnerabilities or leveraging existing administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools like \u003ccode\u003edsacls.exe\u003c/code\u003e or PowerShell cmdlets (e.g., \u003ccode\u003eAdd-ADPermission\u003c/code\u003e) to modify the ACL of the domain object in Active Directory. They grant specific permissions (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set) to an account they control.\u003c/li\u003e\n\u003cli\u003eWindows Security Event 5136 is generated, logging the modification of the ACL.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool like Mimikatz (specifically the \u003ccode\u003elsadump::dcsync\u003c/code\u003e module) or custom scripts to initiate a DCSync attack, impersonating a domain controller.\u003c/li\u003e\n\u003cli\u003eThe attacker replicates sensitive information, including password hashes, from the Active Directory database (NTDS.DIT).\u003c/li\u003e\n\u003cli\u003eThe attacker cracks the password hashes to obtain plaintext passwords or uses them in pass-the-hash attacks to gain access to other systems within the domain.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves complete control over the Active Directory domain, enabling them to compromise critical systems and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful DCSync attack allows the attacker to gain complete control over the Active Directory domain. This enables them to compromise critical systems, steal sensitive data, and disrupt business operations. The impact could range from data breaches and financial losses to reputational damage and legal repercussions. Given that Active Directory is the backbone of many organizations\u0026rsquo; IT infrastructure, the compromise of AD can lead to widespread and severe damage across the entire enterprise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable the Advanced Security Audit policy setting \u003ccode\u003eAudit Directory Services Changes\u003c/code\u003e within \u003ccode\u003eDS Access\u003c/code\u003e and configure a SACL for \u003ccode\u003eeveryone\u003c/code\u003e to \u003ccode\u003eWrite All Properties\u003c/code\u003e applied to the domain root and all descendant objects to generate the necessary EventCode 5136 logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Windows AD Replication ACL Addition\u0026rdquo; to your SIEM and tune the \u003ccode\u003ewindows_ad_domain_replication_acl_addition_filter\u003c/code\u003e macro for known legitimate accounts (if any) with replication permissions.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of EventCode 5136 where the permissions \u0026ldquo;DS-Replication-Get-Changes\u0026rdquo;, \u0026ldquo;DS-Replication-Get-Changes-All\u0026rdquo;, or \u0026ldquo;DS-Replication-Get-Changes-In-Filtered-Set\u0026rdquo; are granted to new accounts.\u003c/li\u003e\n\u003cli\u003eEnumerate the domain policy to verify if existing accounts with access need to be whitelisted, or revoked as documented in the \u0026ldquo;how_to_implement\u0026rdquo; section of the original Splunk detection.\u003c/li\u003e\n\u003cli\u003eEnsure your identities lookup is configured with the sAMAccountName and objectSid of all AD user and computer objects as documented in the \u0026ldquo;how_to_implement\u0026rdquo; section of the original Splunk detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T17:58:45Z","date_published":"2026-05-28T17:58:45Z","id":"https://feed.craftedsignal.io/briefs/2026-05-windows-ad-domain-replication-acl-addition/","summary":"This analytic detects the addition of permissions required for a DCSync attack, specifically DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, and DS-Replication-Get-Changes-In-Filtered-Set, leveraging Windows Security Event Log 5136 to identify when these permissions are granted, which indicates potential preparation for replicating AD objects and exfiltrating sensitive data.","title":"Windows AD Domain Replication ACL Addition","url":"https://feed.craftedsignal.io/briefs/2026-05-windows-ad-domain-replication-acl-addition/"}],"language":"en","title":"CraftedSignal Threat Feed — Attack.t1484","version":"https://jsonfeed.org/version/1.1"}