← Back to Explore
splunk_escuTTP
Windows AD Short Lived Domain Controller SPN Attribute
The following analytic detects the temporary addition of a global catalog SPN or a DRS RPC SPN to an Active Directory computer object, indicative of a potential DCShadow attack. This detection leverages EventCode 5136 from the `wineventlog_security` data source, focusing on specific SPN attribute changes. This activity is significant as DCShadow attacks allow attackers with privileged access to register rogue Domain Controllers, enabling unauthorized changes to the AD infrastructure. If confirmed malicious, this could lead to unauthorized replication of changes, including credentials and keys, compromising the entire domain's security.
MITRE ATT&CK
Detection Query
`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName (AttributeValue="GC/*" OR AttributeValue="E3514235-4B06-11D1-AB04-00C04FC2DCD2/*")
| stats min(_time) as _time range(_time) as duration values(OperationType) as OperationType values(user) as user values(src_ip) as src_ip values(src_nt_domain) as src_nt_domain values(src_user) as src_user values(Computer) as dest, values(ObjectDN) as ObjectDN values(action) as action values(app) as app values(authentication_method) as authentication_method values(signature) as signature values(signature_id) as signature_id values(src) as src
BY Logon_ID
| eval short_lived=case((duration<30),"TRUE")
| where short_lived="TRUE" AND mvcount(OperationType)>1
| replace "%%14674" with "Value Added", "%%14675" with "Value Deleted" in OperationType
| rename Logon_ID as TargetLogonId
| appendpipe [
| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"]
| `windows_ad_short_lived_domain_controller_spn_attribute_filter`Author
Dean Luxton
Created
2026-03-10
Data Sources
Windows Event Log Security 5136Windows Event Log Security 4624
References
Tags
Compromised Windows HostSneaky Active Directory Persistence Tricks
Raw Content
name: Windows AD Short Lived Domain Controller SPN Attribute
id: 57e27f27-369c-4df8-af08-e8c7ee8373d4
version: 12
date: '2026-03-10'
author: Dean Luxton
type: TTP
status: production
data_source:
- Windows Event Log Security 5136
- Windows Event Log Security 4624
description: The following analytic detects the temporary addition of a global catalog SPN or a DRS RPC SPN to an Active Directory computer object, indicative of a potential DCShadow attack. This detection leverages EventCode 5136 from the `wineventlog_security` data source, focusing on specific SPN attribute changes. This activity is significant as DCShadow attacks allow attackers with privileged access to register rogue Domain Controllers, enabling unauthorized changes to the AD infrastructure. If confirmed malicious, this could lead to unauthorized replication of changes, including credentials and keys, compromising the entire domain's security.
search: |-
`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName (AttributeValue="GC/*" OR AttributeValue="E3514235-4B06-11D1-AB04-00C04FC2DCD2/*")
| stats min(_time) as _time range(_time) as duration values(OperationType) as OperationType values(user) as user values(src_ip) as src_ip values(src_nt_domain) as src_nt_domain values(src_user) as src_user values(Computer) as dest, values(ObjectDN) as ObjectDN values(action) as action values(app) as app values(authentication_method) as authentication_method values(signature) as signature values(signature_id) as signature_id values(src) as src
BY Logon_ID
| eval short_lived=case((duration<30),"TRUE")
| where short_lived="TRUE" AND mvcount(OperationType)>1
| replace "%%14674" with "Value Added", "%%14675" with "Value Deleted" in OperationType
| rename Logon_ID as TargetLogonId
| appendpipe [
| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"]
| `windows_ad_short_lived_domain_controller_spn_attribute_filter`
how_to_implement: To successfully implement this search, you need to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled, alongside a SACL for `everybody` to `Write All Properties` applied to the domain root and all descendant objects.
known_false_positives: No false positives have been identified at this time.
references:
- https://www.dcshadow.com/
- https://blog.netwrix.com/2022/09/28/dcshadow_attack/
- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
- https://attack.mitre.org/techniques/T1207/
- https://blog.alsid.eu/dcshadow-explained-4510f52fc19d
drilldown_searches:
- name: View the detection results for - "$src_user$"
search: '%original_detection_search% | search src_user = "$src_user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: Short Lived Domain Controller SPN AD Attribute Triggered by $src_user$
risk_objects:
- field: src_user
type: user
score: 50
threat_objects: []
tags:
analytic_story:
- Compromised Windows Host
- Sneaky Active Directory Persistence Tricks
asset_type: Endpoint
mitre_attack_id:
- T1207
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/mimikatz/windows-security-xml.log
source: XmlWinEventLog:Security
sourcetype: XmlWinEventLog