Detection rules › Splunk
Windows AD DCShadow Privileges ACL Addition
This detection identifies an Active Directory access-control list (ACL) modification event, which applies the minimum required extended rights to perform the DCShadow attack.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1484 Domain or Tenant Policy Modification |
| Defense Evasion | T1207 Rogue Domain Controller, T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification, T1484 Domain or Tenant Policy Modification |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 5136 | A directory service object was modified. |
Stages and Predicates
Stage 1: search
search EventCode=5136 ObjectClass="domainDNS"
Stage 2: stats
stats BY ObjectClass, ObjectDN, OpCorrelationID, src_user, SubjectLogonId
Stage 3: rex
rex field=old_value ...
Stage 4: rex
rex field=new_value ...
Stage 5: mvexpand
mvexpand
Stage 6: where
where NOT new_ace="old_values"
Stage 7: rex
rex field=new_ace ...
Stage 8: search
search aceObjectGuid IN ("1131f6ab-9c07-11d1-f79f-00c04fc2dcd2", "1131f6ac-9c07-11d1-f79f-00c04fc2dcd2", "9923a32a-3607-11d2-b9be-0000f87a36b2")
Stage 9: rex
rex field=aceAccessRights ...
Stage 10: rex
rex field=aceFlags ...
Stage 11: lookup
lookup <lookup> ControlAccessRights, aceObjectGuid, displayName, guid
Stage 12: lookup
lookup <lookup> AccessRights, access_rights_string, access_rights_value
Stage 13: lookup
lookup <lookup> aceType, ace_type_string, ace_type_value
Stage 14: lookup
lookup <lookup> aceFlags, ace_flag_value, flag_string, flag_value
Stage 15: lookup
lookup <lookup> aceSid, builtin_group, builtin_group_name, builtin_group_string
Stage 16: eval
eval ... using (AccessRights, ControlAccessRights, access_rights_value, aceObjectGuid, aceSid, ace_flag_value, ace_type_value, builtin_group, group)
Stage 17: stats
stats BY ObjectClass, ObjectDN, src_user, user
Stage 18: search
search ((aceControlAccessRights="1131f6ab-9c07-11d1-f79f-00c04fc2dcd2" aceControlAccessRights="1131f6ac-9c07-11d1-f79f-00c04fc2dcd2" aceControlAccessRights="9923a32a-3607-11d2-b9be-0000f87a36b2") OR (aceControlAccessRights="Add/Remove Replica In Domain" aceControlAccessRights="Manage Replication Topology" aceControlAccessRights="Replication Synchronization"))
Stage 19: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | new_ace | eq | old_values |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
ObjectClass | eq |
|
aceControlAccessRights | eq |
|
aceObjectGuid | in |
|
Neighbors
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Windows AD Dangerous Deny ACL Modification (drops 1 filter this rule applies)
- Windows AD Object Owner Updated (drops 1 filter this rule applies)
- Windows AD Self DACL Assignment (drops 1 filter this rule applies)