Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Semperis DSP Mimikatzs DCShadow Alert

Semperis DSP Mimikatzs DCShadow Alert

Back
Id1a6d0a49-64b3-4ca1-96c3-f154c16c218c
RulenameSemperis DSP Mimikatz’s DCShadow Alert
DescriptionMimikatz’s DCShadow switch allows a user who has compromised an AD domain, to inject arbitrary changes into AD using a “fake” domain controller. These changes bypass the security event log and can’t be spotted using normal AD tools. This rule looks for evidence that a machine has been used in this capacity.
SeverityHigh
TacticsDefenseEvasion
TechniquesT1207
Required data connectorsSemperisDSP
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/SemperisDSP_EvidenceOfMimikatzDCShadowAttack.yaml
Version2.0.7
Arm template1a6d0a49-64b3-4ca1-96c3-f154c16c218c.json
Deploy To Azure
dsp_parser
| where EventID == 9212
| where SecurityIndicatorName == "Evidence of Mimikatz DCShadow attack"
| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))

requiredDataConnectors:
- connectorId: SemperisDSP
  dataTypes:
  - dsp_parser
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/SemperisDSP_EvidenceOfMimikatzDCShadowAttack.yaml
triggerThreshold: 0
status: Available
relevantTechniques:
- T1207
queryPeriod: 1h
name: Semperis DSP Mimikatz's DCShadow Alert
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
queryFrequency: 1h
triggerOperator: gt
kind: Scheduled
description: |
    'Mimikatz's DCShadow switch allows a user who has compromised an AD domain, to inject arbitrary changes into AD using a "fake" domain controller. These changes bypass the security event log and can't be spotted using normal AD tools. This rule looks for evidence that a machine has been used in this capacity.'
tactics:
- DefenseEvasion
severity: High
version: 2.0.7
query: |
  dsp_parser
  | where EventID == 9212
  | where SecurityIndicatorName == "Evidence of Mimikatz DCShadow attack"
  | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))  
id: 1a6d0a49-64b3-4ca1-96c3-f154c16c218c