splApache-2.0from splunk/security_content

Windows AD Short Lived Domain Controller SPN Attribute

The following analytic detects the temporary addition of a global catalog SPN or a DRS RPC SPN to an Active Directory computer object, indicative of a potential DCShadow attack. This detection leverages EventCode 5136 from the `wineventlog_security` data source, focusing on specific SPN attribute changes. This activity is significant as DCShadow attacks allow attackers with privileged access to register rogue Domain Controllers, enabling unauthorized changes to the AD infrastructure. If confirmed malicious, this could lead to unauthorized replication of changes, including credentials and keys, compromising the entire domain's security.

Quality

FP risk

—

Forks

Views

Rule sourcedetections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml

`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName (AttributeValue="GC/*" OR AttributeValue="E3514235-4B06-11D1-AB04-00C04FC2DCD2/*")
  | stats min(_time) as _time range(_time) as duration values(OperationType) as OperationType values(user) as user values(src_ip) as src_ip values(src_nt_domain) as src_nt_domain values(src_user) as src_user values(Computer) as dest, values(ObjectDN) as ObjectDN values(action) as action values(app) as app values(authentication_method) as authentication_method values(signature) as signature values(signature_id) as signature_id values(src) as src
    BY Logon_ID
  | eval short_lived=case((duration<30),"TRUE")
  | where short_lived="TRUE" AND mvcount(OperationType)>1
  | replace "%%14674" with "Value Added", "%%14675" with "Value Deleted" in OperationType
  | rename Logon_ID as TargetLogonId
  | appendpipe [
  | map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"]
  | `windows_ad_short_lived_domain_controller_spn_attribute_filter`