Detectionmediumtest

Possible DC Shadow Attack

Detects DCShadow via create new SPN

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Ilyas Ochkov, oscd.community, Chakib Gzenayi, Hosni MribahCreated Fri Oct 25Updated Mon Oct 1732e19d25-4aed-4860-a55a-be99cb0bf7edwindows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Definition

The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)

Detection Logic

detection:
    selection1:
        EventID: 4742
        ServicePrincipalNames|contains: 'GC/'
    selection2:
        EventID: 5136
        AttributeLDAPDisplayName: servicePrincipalName
        AttributeValue|startswith: 'GC/'
    condition: 1 of selection*