Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
title: Possible DC Shadow Attack
id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed
related:
- id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
type: derived
status: test
description: Detects DCShadow via create new SPN
references:
- https://twitter.com/gentilkiwi/status/1003236624925413376
- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48
author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah
date: 2019-10-25
modified: 2022-10-17
tags:
- attack.credential-access
- attack.defense-impairment
- attack.t1207
logsource:
product: windows
service: security
definition: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)
detection:
selection1:
EventID: 4742
ServicePrincipalNames|contains: 'GC/'
selection2:
EventID: 5136
AttributeLDAPDisplayName: servicePrincipalName
AttributeValue|startswith: 'GC/'
condition: 1 of selection*
falsepositives:
- Valid on domain controllers; exclude known DCs
level: medium
low
Add or Remove Computer from DC
Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.
status testauthor frack113id 20d96d95-5a20-4cf1-a483-f3bda8a7c037
view Sigma YAML
title: Add or Remove Computer from DC
id: 20d96d95-5a20-4cf1-a483-f3bda8a7c037
status: test
description: Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.
references:
- https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743
author: frack113
date: 2022-10-14
tags:
- attack.defense-impairment
- attack.t1207
logsource:
service: security
product: windows
detection:
selection:
EventID:
- 4741
- 4743
condition: selection
falsepositives:
- Unknown
level: low