Find sigma rule

Attack: Rogue Domain Controller

Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.

Registering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity Mimikatz Guide)

This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform SID-History Injection and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. (Citation: DCShadow Blog)

MITRE

Tactic

defense-evasion

technique

T1207

Test : DCShadow (Active Directory)

OS

windows

Description:

Use Mimikatz DCShadow method to simulate behavior of an Active Directory Domain Controller and edit protected attribute.

DCShadow Additional Reference

It will set the badPwdCount attribute of the target user (user/machine account) to 9999. You can check after with: Get-ADObject -LDAPFilter ‘(samaccountname=)' -Properties badpwdcount | select-object -ExpandProperty badpwdcount

Need SYSTEM privileges locally (automatically obtained via PsExec, so running as admin is sufficient), and Domain Admin remotely. The easiest is to run elevated and as a Domain Admin user.

Executor

powershell

Sigma Rule

win_alert_mimikatz_keywords.yml (id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8)
proc_creation_win_hktl_mimikatz_command_line.yml (id: a642964e-bead-4bed-8910-1bb4d63e3b4d)
proc_creation_win_powershell_non_interactive_execution.yml (id: f4bbd493-b796-416e-bbf2-121235348529)
proc_creation_win_powershell_cmdline_special_characters.yml (id: d7bcd677-645d-4691-a8d4-7a5602b780d1)
proc_creation_win_susp_shadow_copies_deletion.yml (id: c947b146-0abc-4c87-9c64-b17e9d7274a2)
posh_ps_malicious_keywords.yml (id: f62176f3-8128-4faa-bf6c-83261322e5eb)
proc_creation_win_sysinternals_psexec_execution.yml (id: 730fc21b-eaff-474b-ad23-90fd265d4988)
registry_add_pua_sysinternals_execution_via_eula.yml (id: 25ffa65d-76d8-4da5-a832-3f2b0136e133)
file_event_win_sysinternals_psexec_service.yml (id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d)
pipe_created_sysinternals_psexec_default_pipe.yml (id: f3f3a972-f982-40ad-b63c-bca6afdfad7c)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test