david-syk
35 lines
1.6 KiB
YAML
35 lines
1.6 KiB
YAML
title: Possible DC Shadow Attack
|
|
id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed
|
|
related:
|
|
- id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
|
|
type: derived
|
|
status: test
|
|
description: Detects DCShadow via create new SPN
|
|
references:
|
|
- https://twitter.com/gentilkiwi/status/1003236624925413376
|
|
- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
|
|
- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48
|
|
author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah
|
|
date: 2019-10-25
|
|
modified: 2022-10-17
|
|
tags:
|
|
- attack.credential-access
|
|
- attack.defense-evasion
|
|
- attack.t1207
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
definition: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)
|
|
detection:
|
|
selection1:
|
|
EventID: 4742
|
|
ServicePrincipalNames|contains: 'GC/'
|
|
selection2:
|
|
EventID: 5136
|
|
AttributeLDAPDisplayName: servicePrincipalName
|
|
AttributeValue|startswith: 'GC/'
|
|
condition: 1 of selection*
|
|
falsepositives:
|
|
- Valid on domain controllers; exclude known DCs
|
|
level: medium
|