Windows AD Domain Controller Promotion

name: Windows AD Domain Controller Promotion
id: e633a0ef-2a6e-4ed7-b925-5ff999e5d1f0
version: 11
creation_date: '2023-01-25'
modification_date: '2026-05-13'
author: Dean Luxton
status: production
type: TTP
description: The following analytic identifies a genuine Domain Controller (DC) promotion event by detecting when a computer assigns itself the necessary Service Principal Names (SPNs) to function as a domain controller. It leverages Windows Security Event Code 4742 to monitor existing domain controllers for these changes. This activity is significant as it can help identify rogue DCs added to the network, which could indicate a DCShadow attack. If confirmed malicious, this could allow an attacker to manipulate Active Directory, leading to potential privilege escalation and persistent access within the environment.
data_source:
    - Windows Event Log Security 4742
search: |-
    `wineventlog_security` EventCode=4742 ServicePrincipalNames IN ("*E3514235-4B06-11D1-AB04-00C04FC2DCD2/*","*GC/*")
      | stats min(_time) as _time latest(ServicePrincipalNames) as ServicePrincipalNames,values(signature) as signature, values(src_user) as src_user, values(user) as user
        BY Logon_ID, dvc
      | where src_user=user
      | rename Logon_ID as TargetLogonId, user as dest
      | appendpipe [
      | map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"
      | fields - dest, dvc, signature]
      | stats min(_time) as _time, values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip values(ServicePrincipalNames) as ServicePrincipalNames values(signature) as signature values(dest) as dest values(dvc) as dvc
        BY TargetLogonId
      | eval dest=trim(dest,"$")
      | `windows_ad_domain_controller_promotion_filter`
how_to_implement: To successfully implement this search, you need to be ingesting eventcode `4742`. The Advanced Security Audit policy setting `Audit Computer Account Management` within `Account Management` needs to be enabled.
known_false_positives: No false positives have been identified at this time.
references:
    - https://attack.mitre.org/techniques/T1207/
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: AD Domain Controller Promotion Event Detected for $dest$
    entity:
        field: dest
        type: system
        score: 50
analytic_story:
    - Compromised Windows Host
    - Sneaky Active Directory Persistence Tricks
asset_type: Endpoint
mitre_attack_id:
    - T1207
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/dc_promo/windows-security-xml.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog
      test_type: unit