Name:Windows AD Short Lived Domain Controller SPN Attribute id:57e27f27-369c-4df8-af08-e8c7ee8373d4 version:6 date:2024-11-28 author:Dean Luxton status:production type:TTP Description:The following analytic detects the temporary addition of a global catalog SPN or a DRS RPC SPN to an Active Directory computer object, indicative of a potential DCShadow attack. This detection leverages EventCode 5136 from the `wineventlog_security` data source, focusing on specific SPN attribute changes. This activity is significant as DCShadow attacks allow attackers with privileged access to register rogue Domain Controllers, enabling unauthorized changes to the AD infrastructure. If confirmed malicious, this could lead to unauthorized replication of changes, including credentials and keys, compromising the entire domain's security. Data_source:
-Windows Event Log Security 5136
-Windows Event Log Security 4624
search:`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName (AttributeValue="GC/*" OR AttributeValue="E3514235-4B06-11D1-AB04-00C04FC2DCD2/*") | stats min(_time) as _time range(_time) as duration values(OperationType) as OperationType values(user) as user values(src_ip) as src_ip values(src_nt_domain) as src_nt_domain values(src_user) as src_user values(Computer) as dest, values(ObjectDN) as ObjectDN by Logon_ID | eval short_lived=case((duration<30),"TRUE") | where short_lived="TRUE" AND mvcount(OperationType)>1 | replace "%%14674" with "Value Added", "%%14675" with "Value Deleted" in OperationType | rename Logon_ID as TargetLogonId | appendpipe [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"] | stats min(_time) as _time, values(ObjectDN) as ObjectDN values(OperationType) as OperationType by TargetLogonId src_user dest | `windows_ad_short_lived_domain_controller_spn_attribute_filter`
how_to_implement:To successfully implement this search, you need to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects. known_false_positives:None. References: -https://www.dcshadow.com/ -https://blog.netwrix.com/2022/09/28/dcshadow_attack/ -https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2 -https://attack.mitre.org/techniques/T1207/ -https://blog.alsid.eu/dcshadow-explained-4510f52fc19d drilldown_searches: name:'View the detection results for - "$src_user$"' search:'%original_detection_search% | search src_user = "$src_user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$src_user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Compromised Windows Host' - 'Sneaky Active Directory Persistence Tricks' asset_type:Endpoint confidence:100 impact:100 message:Short Lived Domain Controller SPN AD Attribute Triggered by $src_user$ mitre_attack_id: - 'T1207' observable: name:'src_user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'EventCode' - 'AttributeLDAPDisplayName' - 'AttributeValue' - 'src_nt_domain' - 'src_user' - 'Computer' - 'ObjectDN' - 'Logon_ID' - 'signature' risk_score:100 security_domain:endpoint
