LoFP / valid on domain controllers; exclude known dcs

Techniques

t1207

Sample rules

Possible DC Shadow Attack

source: sigma
technicques:
- t1207

Description

Detects DCShadow via create new SPN

Detection logic

condition: 1 of selection*
selection1:
  EventID: 4742
  ServicePrincipalNames|contains: GC/
selection2:
  AttributeLDAPDisplayName: servicePrincipalName
  AttributeValue|startswith: GC/
  EventID: 5136