LoFP / creating and deleting a server object within 30 seconds or less is unusual but not impossible in a production environment. filter as needed.

Techniques

• T1207

Sample rules

Windows AD Short Lived Server Object

• source: splunk
• technicques:
  • T1207

Description

The following analytic identifies a change in an Active Directory environment that could represent evidence of the DCShadow attack. DCShadow allows an attacker who has obtained privileged access to register a rogue Domain Controller (DC). Once registered, the rogue DC may be able to inject and replicate changes in the AD infrastructure for any domain object, including credentials and keys. This technique was initially released in 2018 by security researchers Benjamin Delpy and Vincent Le Toux. Specifically, the detection will trigger when a possible rogue Domain Controller computer object is created and quickly deleted within 30 seconds or less in an Active Directory domain. This behavior was identfied by simulating the DCShadow attack with Mimikatz.

Detection logic

 `wineventlog_security` EventCode=5137 OR EventCode=5141 ObjectDN="*CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration*" 
| transaction ObjectDN startswith=(EventCode=5137) endswith=(EventCode=5141) 
| eval short_lived=case((duration<30),"TRUE") 
| search short_lived = TRUE 
| stats values(ObjectDN) values(signature) values(EventCode) by _time, Computer, SubjectUserName 
| `windows_ad_short_lived_server_object_filter`