Replication Delegation is a new preconfigured threat model in StealthDEFEND 2.1 designed to detect when a user, group, or computer is granted permissions to replicate a domain.
A common technique employed by cyber attackers is to use the DCSync command in Mimikatz to request password information from a Domain Controller. If successful, attackers can easily assume the control of privileged accounts and employ the use of additional attack tactics, techniques, and procedures such as Golden Tickets, ultimately resulting in full domain compromise. However, in order for this attack to work, the attacker must have specific permissions to perform domain replication.
In version 2.1, StealthDEFEND has been tuned to detect and alert on changes to any account where domain replication is involved. If changes are detected, StealthDEFEND can automatically execute a custom playbook of actions to contain the threat and mitigate further damage.