Detection rules › Splunk
Windows AD Domain Controller Promotion
The following analytic identifies a genuine Domain Controller (DC) promotion event by detecting when a computer assigns itself the necessary Service Principal Names (SPNs) to function as a domain controller. It leverages Windows Security Event Code 4742 to monitor existing domain controllers for these changes. This activity is significant as it can help identify rogue DCs added to the network, which could indicate a DCShadow attack. If confirmed malicious, this could allow an attacker to manipulate Active Directory, leading to potential privilege escalation and persistent access within the environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1207 Rogue Domain Controller |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4742 | A computer account was changed. |
Stages and Predicates
Stage 1: search
search EventCode=4742 ServicePrincipalNames IN ("*E3514235-4B06-11D1-AB04-00C04FC2DCD2/*", "*GC/*")
Stage 2: stats
stats BY Logon_ID, dvc
Stage 3: where
where src_user=
Stage 4: rename
rename
Stage 5: appendpipe
appendpipe
Stage 6: stats
stats BY TargetLogonId
Stage 7: eval
eval ...
Stage 8: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
ServicePrincipalNames | in |
|