Detection rules › Splunk
Windows AD Short Lived Server Object
The following analytic identifies the creation and quick deletion of a Domain Controller (DC) object within 30 seconds in an Active Directory environment, indicative of a potential DCShadow attack. This detection leverages Windows Security Event Codes 5137 and 5141, analyzing the duration between these events. This activity is significant as DCShadow allows attackers with privileged access to register a rogue DC, enabling unauthorized changes to AD objects, including credentials. If confirmed malicious, this could lead to unauthorized AD modifications, compromising the integrity and security of the entire domain.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Impairment | T1207 Rogue Domain Controller |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 5137 | A directory service object was created. |
| Security-Auditing | Event ID 5141 | A directory service object was deleted. |
Rule body splunk
name: Windows AD Short Lived Server Object
id: 193769d3-1e33-43a9-970e-ad4a88256cdb
version: 12
creation_date: '2022-10-18'
modification_date: '2026-05-13'
author: Mauricio Velazco, Splunk
status: production
type: TTP
description: The following analytic identifies the creation and quick deletion of a Domain Controller (DC) object within 30 seconds in an Active Directory environment, indicative of a potential DCShadow attack. This detection leverages Windows Security Event Codes 5137 and 5141, analyzing the duration between these events. This activity is significant as DCShadow allows attackers with privileged access to register a rogue DC, enabling unauthorized changes to AD objects, including credentials. If confirmed malicious, this could lead to unauthorized AD modifications, compromising the integrity and security of the entire domain.
data_source:
- Windows Event Log Security 5137
- Windows Event Log Security 5141
search: |-
`wineventlog_security` EventCode=5137 OR EventCode=5141 ObjectDN="*CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration*"
| transaction ObjectDN startswith=(EventCode=5137) endswith=(EventCode=5141)
| eval short_lived=case((duration<30),"TRUE")
| search short_lived = TRUE
| stats values(ObjectDN) values(signature) values(EventCode)
BY _time, Computer, SubjectUserName,
dest
| `windows_ad_short_lived_server_object_filter`
how_to_implement: To successfully implement this search, you ned to be ingesting Event codes `5137` and `5141`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. For these event codes to be generated, specific SACLs are required.
known_false_positives: Creating and deleting a server object within 30 seconds or less is unusual but not impossible in a production environment. Filter as needed.
references:
- https://www.dcshadow.com/
- https://attack.mitre.org/techniques/T1207/
- https://stealthbits.com/blog/detecting-dcshadow-with-event-logs/
- https://pentestlab.blog/2018/04/16/dcshadow/
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5137
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5141
drilldown_searches:
- name: View the detection results for - "$Computer$"
search: '%original_detection_search% | search Computer = "$Computer$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
finding:
title: A short-lived server object was created and deleted on $Computer$
entity:
field: SubjectUserName
type: user
score: 50
intermediate_findings:
entities:
- field: Computer
type: system
score: 50
message: A short-lived server object was created and deleted on $Computer$
analytic_story:
- Compromised Windows Host
- Sneaky Active Directory Persistence Tricks
asset_type: Endpoint
mitre_attack_id:
- T1207
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/short_lived_server_object/windows-security.log
source: XmlWinEventLog:Security
sourcetype: XmlWinEventLog
test_type: unit
Stages and Predicates
Stage 1: search
`wineventlog_security` EventCode=5137 OR EventCode=5141 ObjectDN="*CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration*"
Stage 2: transaction implicit 300s window
| transaction ObjectDN startswith=(EventCode=5137) endswith=(EventCode=5141)
Stage 3: eval
| eval short_lived=case((duration<30),"TRUE")
short_lived =else
"TRUE"Stage 4: search
| search short_lived = TRUE
Stage 5: stats
| stats values(ObjectDN) values(signature) values(EventCode)
BY _time, Computer, SubjectUserName,
dest
Stage 6: search
| `windows_ad_short_lived_server_object_filter`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
ObjectDN | eq |
|
short_lived | eq |
|