Possible DC Shadow Attack

calendar May 20, 2025 · attack.credential-access attack.defense-evasion attack.t1207  ·
Share on: linkedin copy

Detects DCShadow via create new SPN

Sigma rule (View on GitHub)

 1title: Possible DC Shadow Attack
 2id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed
 3related:
 4    - id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
 5      type: derived
 6status: test
 7description: Detects DCShadow via create new SPN
 8references:
 9    - https://twitter.com/gentilkiwi/status/1003236624925413376
10    - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
11    - https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48
12author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah
13date: 2019-10-25
14modified: 2022-10-17
15tags:
16    - attack.credential-access
17    - attack.defense-evasion
18    - attack.t1207
19logsource:
20    product: windows
21    service: security
22    definition: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)
23detection:
24    selection1:
25        EventID: 4742
26        ServicePrincipalNames|contains: 'GC/'
27    selection2:
28        EventID: 5136
29        AttributeLDAPDisplayName: servicePrincipalName
30        AttributeValue|startswith: 'GC/'
31    condition: 1 of selection*
32falsepositives:
33    - Valid on domain controllers; exclude known DCs
34level: medium

References

Related rules

to-top