Name:Windows AD Short Lived Server Object id:193769d3-1e33-43a9-970e-ad4a88256cdb version:5 date:2024-11-28 author:Mauricio Velazco, Splunk status:production type:TTP Description:The following analytic identifies the creation and quick deletion of a Domain Controller (DC) object within 30 seconds in an Active Directory environment, indicative of a potential DCShadow attack. This detection leverages Windows Security Event Codes 5137 and 5141, analyzing the duration between these events. This activity is significant as DCShadow allows attackers with privileged access to register a rogue DC, enabling unauthorized changes to AD objects, including credentials. If confirmed malicious, this could lead to unauthorized AD modifications, compromising the integrity and security of the entire domain. Data_source:
how_to_implement:To successfully implement this search, you ned to be ingesting Event codes `5137` and `5141`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. For these event codes to be generated, specific SACLs are required. known_false_positives:Creating and deleting a server object within 30 seconds or less is unusual but not impossible in a production environment. Filter as needed. References: -https://www.dcshadow.com/ -https://attack.mitre.org/techniques/T1207/ -https://stealthbits.com/blog/detecting-dcshadow-with-event-logs/ -https://pentestlab.blog/2018/04/16/dcshadow/ -https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5137 -https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5141 drilldown_searches: name:'View the detection results for - "$Computer$"' search:'%original_detection_search% | search Computer = "$Computer$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$Computer$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Compromised Windows Host' - 'Sneaky Active Directory Persistence Tricks' asset_type:Endpoint confidence:80 impact:80 message:Potential DCShadow Attack Detected on $Computer$ mitre_attack_id: - 'T1207' observable: name:'SubjectUserName' type:'User' - role: - 'Attacker' name:'Computer' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'EventCode' - 'ObjectDN' - 'signature' - 'SubjectUserName' - 'Computer' risk_score:64 security_domain:endpoint
