Detection rules › Splunk
Windows AD Short Lived Domain Controller SPN Attribute
The following analytic detects the temporary addition of a global catalog SPN or a DRS RPC SPN to an Active Directory computer object, indicative of a potential DCShadow attack. This detection leverages EventCode 5136 from the wineventlog_security data source, focusing on specific SPN attribute changes. This activity is significant as DCShadow attacks allow attackers with privileged access to register rogue Domain Controllers, enabling unauthorized changes to the AD infrastructure. If confirmed malicious, this could lead to unauthorized replication of changes, including credentials and keys, compromising the entire domain's security.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1207 Rogue Domain Controller |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4624 | An account was successfully logged on. |
| Security-Auditing | 5136 | A directory service object was modified. |
Stages and Predicates
Stage 1: search
search (AttributeValue="E3514235-4B06-11D1-AB04-00C04FC2DCD2/*" OR AttributeValue="GC/*") AttributeLDAPDisplayName="servicePrincipalName" EventCode=5136
Stage 2: stats
stats BY Logon_ID
Stage 3: eval
eval ... using (duration)
Stage 4: where
where short_lived="TRUE"
Stage 5: replace
replace
Stage 6: rename
rename
Stage 7: appendpipe
appendpipe
Stage 8: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
AttributeLDAPDisplayName | eq |
|
AttributeValue | eq |
|
EventCode | eq |
|
short_lived | eq |
|