Description: The DCSync attack methodology takes advantage of the Directory Replication Service Remote (DRSR) protocol to obtain sensitive information from a domain controller.
References: 1, 2, 3, 4, 5
SPL:
index="windows" EventCode=4662 Properties IN ("*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*", "*{19195a5b-6da0-11d0-afd3-00c04fd930c9}*", "*{89e95b76-444d-4c62-991a-0facbeda640c}*") NOT SubjectUserName IN ("*$", "AADSync-Service")
| rename signature AS EventDescription
| eval Time=strftime(_time, "%Y-%m-%d %H:%M:%S %z"), admin_lookup=replace(SubjectUserName,"^(\w+)_admin","\1")
| lookup ad_users sAMAccountName AS admin_lookup OUTPUT displayName AS Name, mail AS Email
| table Time, host, SubjectUserName, EventCode, EventDescription, ObjectName, Properties, Name, Email