Windows AD Short Lived Server Object

Author: Mauricio Velazco, Splunk
Source: upstream

The following analytic identifies the creation and quick deletion of a Domain Controller (DC) object within 30 seconds in an Active Directory environment, indicative of a potential DCShadow attack. This detection leverages Windows Security Event Codes 5137 and 5141, analyzing the duration between these events. This activity is significant as DCShadow allows attackers with privileged access to register a rogue DC, enabling unauthorized changes to AD objects, including credentials. If confirmed malicious, this could lead to unauthorized AD modifications, compromising the integrity and security of the entire domain.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1207` Rogue Domain Controller

Event coverage

Provider	Event ID	Title
Security-Auditing	5137	A directory service object was created.
Security-Auditing	5141	A directory service object was deleted.

Stages and Predicates

Stage 1: `search`

search (EventCode=5137 OR EventCode=5141) ObjectDN="*CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration*"

Stage 2: `transaction`

transaction ObjectDN endswith=EventCode = 5141 startswith=EventCode = 5137

Stage 3: `eval`

eval ... using (duration)

Stage 4: `search`

search short_lived=TRUE

Stage 5: `stats`

stats BY _time, Computer, SubjectUserName, dest

Stage 6: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	eq	`5137` corpus 3 (splunk 3) `5141`
`ObjectDN`	eq	`"CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration"`
`short_lived`	eq	`TRUE` corpus 4 (splunk 4)

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Potential Kerberos Coercion via DNS-Based SPN Spoofing [elastic]
Suspicious Remote Registry Access via SeBackupPrivilege [elastic]
Startup/Logon Script added to Group Policy Object [elastic]
Scheduled Task Execution at Scale via GPO [elastic]
Persistence and Execution at Scale via GPO Scheduled Task [sigma]
Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation [sigma]
Startup/Logon Script Added to Group Policy Object [sigma]
Windows Administrative Shares Accessed On Multiple Hosts [splunk]

Windows AD Short Lived Server Object

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: search

Stage 2: transaction

Stage 3: eval

Stage 4: search

Stage 5: stats

Stage 6: search