CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
bc230f7cd55c7466ea46a76dc71b0759d0b94474
hayabusa/rules/sigma/builtin/win_possible_dc_shadow.yml
Yamato Security 015899bc51 ルール更新 (#224)
2021-11-23 15:04:03 +09:00

35 lines
1.0 KiB
YAML
Raw Blame History

title: Possible DC Shadow
author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah
date: 2019/10/25
description: Detects DCShadow via create new SPN
detection:
SELECTION_1:
EventID: 4742
SELECTION_2:
ServicePrincipalNames: '*GC/*'
SELECTION_3:
EventID: 5136
SELECTION_4:
AttributeLDAPDisplayName: servicePrincipalName
SELECTION_5:
AttributeValue: GC/*
condition: ((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4 and SELECTION_5))
falsepositives:
- Exclude known DCs
id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed
level: high
logsource:
product: windows
service: security
modified: 2021/07/06
references:
- https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml
- https://twitter.com/gentilkiwi/status/1003236624925413376
- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
- https://blog.alsid.eu/dcshadow-explained-4510f52fc19d
status: experimental
tags:
- attack.credential_access
- attack.t1207
Reference in New Issue View Git Blame Copy Permalink