Possible DCShadow attempt

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-11-18
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • AWS Flow Log
      OR
    • AWS OCSF Flow Logs
      OR
    • Azure Flow Log
      OR
    • Gcp Flow Log
      OR
    • Palo Alto Networks Platform Logs
      OR
    • Third-Party Firewalls
      OR
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

ATT&CK Technique

Severity

High

Description

Attackers may register a compromised host as a new DC to get other DCs to replicate data to it, and then push their malicious AD changes to all DCs.

Attacker's Goals

Retrieve Active Directory data, to later be able to push out malicious Active Directory changes.

Investigative actions

Check whether the destination is a new domain controller or a host that syncs with ADFS or Azure AD.