Find sigma rule
Attack: Rogue Domain Controller
Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.
Registering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity Mimikatz Guide)
This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform SID-History Injection and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. (Citation: DCShadow Blog)
MITRE
Tactic
- defense-evasion
technique
- T1207
Test : DCShadow (Active Directory)
OS
- windows
Description:
Use Mimikatz DCShadow method to simulate behavior of an Active Directory Domain Controller and edit protected attribute.
It will set the badPwdCount attribute of the target user (user/machine account) to 9999. You can check after with:
Get-ADObject -LDAPFilter ‘(samaccountname=
Need SYSTEM privileges locally (automatically obtained via PsExec, so running as admin is sufficient), and Domain Admin remotely. The easiest is to run elevated and as a Domain Admin user.
Executor
powershell
Sigma Rule
-
win_alert_mimikatz_keywords.yml (id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8)
-
proc_creation_win_hktl_mimikatz_command_line.yml (id: a642964e-bead-4bed-8910-1bb4d63e3b4d)
-
proc_creation_win_powershell_non_interactive_execution.yml (id: f4bbd493-b796-416e-bbf2-121235348529)
-
proc_creation_win_powershell_cmdline_special_characters.yml (id: d7bcd677-645d-4691-a8d4-7a5602b780d1)
-
proc_creation_win_susp_shadow_copies_deletion.yml (id: c947b146-0abc-4c87-9c64-b17e9d7274a2)
-
posh_ps_malicious_keywords.yml (id: f62176f3-8128-4faa-bf6c-83261322e5eb)
-
proc_creation_win_sysinternals_psexec_execution.yml (id: 730fc21b-eaff-474b-ad23-90fd265d4988)
-
registry_add_pua_sysinternals_execution_via_eula.yml (id: 25ffa65d-76d8-4da5-a832-3f2b0136e133)
-
file_event_win_sysinternals_psexec_service.yml (id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d)
-
pipe_created_sysinternals_psexec_default_pipe.yml (id: f3f3a972-f982-40ad-b63c-bca6afdfad7c)