DCShadow
ATT&CK: T1207 — Rogue Domain Controller
DCShadow is an Active Directory persistence and evasion technique where an attacker registers a rogue domain controller in the AD topology, then uses it to push arbitrary attribute changes to AD — bypassing standard security monitoring that watches legitimate DC event logs.
How DCShadow Works
Normal AD replication: DCs use the MS-DRSR (Directory Replication Service Remote Protocol) to synchronize changes. Any DC registered in AD can initiate replication.
DCShadow abuse:
- Register a rogue DC — create
nTDSDSAandServerobjects in the AD Sites and Services configuration partition to make a compromised machine appear as a DC - Push malicious changes — the rogue DC replicates attribute changes to legitimate DCs; these changes arrive via replication, not direct modification
- Clean up — remove the rogue DC objects after the changes are committed
Because the changes arrive via DC-to-DC replication rather than standard LDAP writes, they do not generate Event ID 4662/5136 (object modification events) on the legitimate DCs — they appear as normal replication.
Payload Examples
What can be injected via DCShadow:
| Payload | Effect |
|---|---|
Add SID to sIDHistory | Give account access to another domain's resources |
Set primaryGroupID | Change group membership without a group modification event |
Set adminCount = 1 | Move account into AdminSDHolder protection scope |
Modify msDS-KeyCredentialLink | Add shadow credentials for persistence |
| Modify ACLs on AD objects | Grant DCSync rights, WriteDACL, etc. |
Set servicePrincipalName | Register SPN for targeted Kerberoasting |
Set userAccountControl | Remove PREAUTH required → AS-REP Roasting target |
Tool: Mimikatz lsadump::dcshadow
# In a privileged shell on the target (needs Domain Admin or specific replication rights)
# Register the rogue DC (run as SYSTEM or DA)
mimikatz # lsadump::dcshadow /object:targetuser /attribute:SIDHistory /value:S-1-5-21-<old-domain>-500
# In a second Mimikatz instance with Domain Admin privileges:
mimikatz # lsadump::dcshadow /push
# The second instance triggers the replication push
DCShadow requires two simultaneous Mimikatz processes:
- One running as SYSTEM on the machine being registered as rogue DC
- One running with Domain Admin credentials to trigger the replication
Privilege Requirements
| Requirement | Detail |
|---|---|
| Register rogue DC objects | Domain Admin or write access to CN=Configuration partition |
| Push replication | Domain Admin or DS-Replication-Manage-Topology + DS-Replication-Synchronize rights |
| Effectively | Domain Admin equivalent required |
DCShadow is a post-exploitation persistence technique — not an initial access vector. An attacker needs Domain Admin before using it, then uses DCShadow to maintain persistence while evading detection.
Comparison: DCSync vs DCShadow
| DCSync | DCShadow | |
|---|---|---|
| Direction | Pull (read credentials) | Push (write AD changes) |
| Purpose | Credential extraction | Persistence, evasion |
| Log events | Event 4662 on DCs | Replication events only |
| Detection difficulty | Moderate | Hard |
| Requires | Replication rights | Ability to register DC + replication rights |
Detection
Event IDs to Monitor
| Event ID | Source | Relevance |
|---|---|---|
| 4928 | AD Replication | Source naming context replica added |
| 4929 | AD Replication | Source naming context replica removed |
| 4930 | AD Replication | Source naming context replica modified |
| 4932 | AD Replication | Synchronization of a replica of an AD naming context |
| 4935/4936 | AD Replication | Replication failure begins/ends |
Behavioral Indicators
DCShadow leaves a short-lived registration artifact:
# Rogue DC objects created in:
CN=Sites,CN=Configuration,DC=domain,DC=com
# Specifically:
CN=<machine-name>,CN=Servers,CN=<site>,CN=Sites,...
CN=NTDS Settings,CN=<machine-name>,...
Detections:
- New DC registration in Sites & Services that is not a legitimate deployment
- Replication events from unexpected source IP/hostname
- Attribute changes arriving via replication that were not initiated via normal change management
Sigma Rule Concept
title: DCShadow — Unexpected DC Registration
detection:
selection:
EventID: 4928
filter_known:
# Allowlist known DCs by hostname or IP
ReplicaSourceNC|contains: known_dc_list
condition: selection and not filter_known
MDI Detection
Microsoft Defender for Identity has a specific detection for DCShadow:
- "Suspected DCShadow attack (DC promotion)"
- "Suspected DCShadow attack (replication request)"
These detections fire when a non-DC machine initiates replication requests.
Mitigation
| Control | Mechanism |
|---|---|
| Restrict DC registration rights | Only designated accounts can create nTDSDSA objects in the configuration partition |
| Monitor Sites & Services changes | Alert on new server/DC registrations |
| Privileged Access Workstations | Reduce locations where DA credentials are used |
| Tier 0 protection | Limit who has Domain Admin |
CTI Context
DCShadow was presented by Benjamin Delpy (Mimikatz author) and Vincent Le Toux at BlueHat IL 2018. It has been used in sophisticated APT operations where attackers with DA access needed to modify AD attributes without triggering standard change detection pipelines.
Evidence that DCShadow was used is typically found post-compromise through AD forensics:
- Unexpected SID History entries
- ACL changes with no corresponding modification events
- Group membership changes with no corresponding
memberOfchange events
Cross-Links
| Topic | Link |
|---|---|
| DCSync | dcsync |
| SID History Abuse | sid-history-abuse |
| ACL Abuse | acl-abuse |
| Golden Ticket | golden-ticket |