Possible DC Shadow Attack
Detects DCShadow via create new SPN
Sigma rule (View on GitHub)
1title: Possible DC Shadow Attack
2id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed
3related:
4 - id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
5 type: derived
6status: test
7description: Detects DCShadow via create new SPN
8references:
9 - https://twitter.com/gentilkiwi/status/1003236624925413376
10 - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
11 - https://blog.alsid.eu/dcshadow-explained-4510f52fc19d
12author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah
13date: 2019/10/25
14modified: 2022/10/17
15tags:
16 - attack.credential_access
17 - attack.t1207
18logsource:
19 product: windows
20 service: security
21 definition: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)
22detection:
23 selection1:
24 EventID: 4742
25 ServicePrincipalNames|contains: 'GC/'
26 selection2:
27 EventID: 5136
28 AttributeLDAPDisplayName: servicePrincipalName
29 AttributeValue|startswith: 'GC/'
30 condition: 1 of selection*
31falsepositives:
32 - Valid on domain controllers; exclude known DCs
33level: medium
References
Related rules
- Add or Remove Computer from DC
- Added Owner To Application
- App Granted Microsoft Permissions
- Application AppID Uri Configuration Changes
- Application URI Configuration Changes