title: Possible DC Shadow
author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah
date: 2019/10/25
description: Detects DCShadow via create new SPN
detection:
  SELECTION_1:
    EventID: 4742
  SELECTION_2:
    ServicePrincipalNames: '*GC/*'
  SELECTION_3:
    EventID: 5136
  SELECTION_4:
    AttributeLDAPDisplayName: servicePrincipalName
  SELECTION_5:
    AttributeValue: GC/*
  condition: ((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4 and SELECTION_5))
falsepositives:
- Exclude known DCs
id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed
level: high
logsource:
  product: windows
  service: security
modified: 2021/07/06
references:
- https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml
- https://twitter.com/gentilkiwi/status/1003236624925413376
- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
- https://blog.alsid.eu/dcshadow-explained-4510f52fc19d
status: experimental
tags:
- attack.credential_access
- attack.t1207
ruletype: SIGMA