Possible DC Shadow Attack

Detects DCShadow via create new SPN

Sigma rule (View on GitHub)

 1title: Possible DC Shadow Attack
 2id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed
 3related:
 4    - id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
 5      type: derived
 6status: test
 7description: Detects DCShadow via create new SPN
 8references:
 9    - https://twitter.com/gentilkiwi/status/1003236624925413376
10    - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
11    - https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48
12author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah
13date: 2019-10-25
14modified: 2022-10-17
15tags:
16    - attack.credential-access
17    - attack.t1207
18logsource:
19    product: windows
20    service: security
21    definition: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)
22detection:
23    selection1:
24        EventID: 4742
25        ServicePrincipalNames|contains: 'GC/'
26    selection2:
27        EventID: 5136
28        AttributeLDAPDisplayName: servicePrincipalName
29        AttributeValue|startswith: 'GC/'
30    condition: 1 of selection*
31falsepositives:
32    - Valid on domain controllers; exclude known DCs
33level: medium

References

Related rules

to-top