frack113
020fc8061f
chore: Upgrade status level from `experimental` to `test` for rules that have not changed in 300 days --------- Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
34 lines
1.6 KiB
YAML
34 lines
1.6 KiB
YAML
title: Possible DC Shadow Attack
|
|
id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed
|
|
related:
|
|
- id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
|
|
type: derived
|
|
status: test
|
|
description: Detects DCShadow via create new SPN
|
|
references:
|
|
- https://twitter.com/gentilkiwi/status/1003236624925413376
|
|
- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
|
|
- https://blog.alsid.eu/dcshadow-explained-4510f52fc19d
|
|
author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah
|
|
date: 2019/10/25
|
|
modified: 2022/10/17
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1207
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
definition: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)
|
|
detection:
|
|
selection1:
|
|
EventID: 4742
|
|
ServicePrincipalNames|contains: 'GC/'
|
|
selection2:
|
|
EventID: 5136
|
|
AttributeLDAPDisplayName: servicePrincipalName
|
|
AttributeValue|startswith: 'GC/'
|
|
condition: 1 of selection*
|
|
falsepositives:
|
|
- Valid on domain controllers; exclude known DCs
|
|
level: medium
|