Windows AD Domain Controller Promotion

Try in Splunk Security Cloud

Description

This analytic identifies a genuine DC promotion event. Identifying when a computer assigns itself the necessary SPNs to function as a domain controller. Note these events are triggered on the existing domain controllers, not the newly joined domain controller. This detection will serve to identify rogue DCs added to the network. There are 2x detections within this analytic story which identify DCShadow attacks, if you do not currently possess the logging for these detections, remove the where clause within this detection to identify DCShadow activity.

• Type: TTP

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2023-01-26
• Author: Dean Luxton
• ID: e633a0ef-2a6e-4ed7-b925-5ff999e5d1f0

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1207	Rogue Domain Controller	Defense Evasion

Kill Chain Phase

• Exploitation

NIST

• DE.CM

CIS20

• CIS 10

CVE

Search

`wineventlog_security` EventCode=4742 ServicePrincipalNames IN ("*E3514235-4B06-11D1-AB04-00C04FC2DCD2/*","*GC/*")
| stats min(_time) as _time latest(ServicePrincipalNames) as ServicePrincipalNames,values(signature) as signature, values(src_user) as src_user, values(user) as user by Logon_ID, dvc
| where src_user=user
| rename Logon_ID as TargetLogonId, user as dest 
| appendpipe [
| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$" 
| fields - dest, dvc, signature]
| stats min(_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip values(ServicePrincipalNames) as ServicePrincipalNames values(signature) as signature values(dest) as dest values(dvc) as dvc by TargetLogonId 
| eval dest=trim(dest,"$") 
| `windows_ad_domain_controller_promotion_filter`

Macros

The SPL above uses the following Macros:

• wineventlog_security

windows_ad_domain_controller_promotion_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• EventCode
• ServicePrincipalNames
• src_user
• user
• Logon_ID
• dvc

How To Implement

To successfully implement this search, you need to be ingesting eventcode 4742. The Advanced Security Audit policy setting Audit Computer Account Management within Account Management needs to be enabled.

Known False Positives

None.

Associated Analytic Story

• Sneaky Active Directory Persistence Tricks

RBA

Risk Score	Impact	Confidence	Message
80.0	80	100	AD Domain Controller Promotion Event Detected for $dest$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://attack.mitre.org/techniques/T1207/

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1