{
	"id": "5c96a876-2a0d-4443-8462-4c1595808032",
	"created_at": "2026-04-06T01:30:09.687509Z",
	"updated_at": "2026-04-10T13:11:52.583345Z",
	"deleted_at": null,
	"sha1_hash": "1496a4d8ca0860bb12ee65bec5c064b95abab630",
	"title": "DCShadow Attacks: Detecting a Rogue Domain Controller",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 749963,
	"plain_text": "DCShadow Attacks: Detecting a Rogue Domain Controller\r\nBy Vikram Navali\r\nPublished: 2022-08-15 · Archived: 2026-04-06 00:43:11 UTC\r\nIn our earlier Protecting Against Active Directory DCSync Attacks blog post, we have seen how attackers can\r\nreplicate permissions and completely control Active Directory (AD) infrastructure using DCSync attacks. Another\r\ndevastating technique that attackers explore against AD is the DCShadow attack. It is a method of manipulating\r\nAD data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the\r\nbehavior of a legitimate Domain Controller (DC).\r\nA DCShadow attack allows an attacker with domain or enterprise admin privileges to create rogue DC in the\r\nnetworks. Once registered, a rogue DC is used to inject domain objects (such as accounts, access control lists,\r\nschemas, credentials, or access keys) and replicate changes into AD infrastructure.\r\nHow Does a DCShadow Attack Work?\r\nDCShadow attack shares similarities with the DCSync attack, which is already present in the lsadump module of\r\nan open-source tool Mimikatz. A post-exploitation attack requires domain admin or enterprise admin privileges on\r\nan endpoint. The following attack flow was demonstrated with detailed steps at the Bluehat IL 2018 conference by\r\nVincent LE TOUX and Benjamin Delpy.\r\n1. Registering the DC by creating two objects in the CN=Configuration partition and altering the SPN of the\r\ncomputer used.\r\nhttps://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/\r\nPage 1 of 4\n\n2. Pushing the data, triggered using DrsReplicaAdd , Kerberos Credentials Collector (KCC), or other internal\r\nAD events.\r\n3. Removing the object previously created to demote the DC.\r\nAttackers can perform a DCShadow attack by installing Mimikatz on a compromised Windows endpoint and\r\nstarting the mimidrv service. To play the role of fake Domain Controller, an attacker can execute the following\r\ncommands to register and start a service with appropriate privileges.\r\ntoken::whoami\r\nLet us take one scenario and see how an attacker attempts a persistence attack by modifying the primaryGroupID\r\nattribute. An attacker can run the lsadump::dcshadow command to modify the value of primaryGroupID to 512.\r\nThe following command can make domain standard users be a member of the domain admin group.\r\nlsadump::dcshadow /object:POC User5 /attribute:primaryGroupID /value:512\r\nFirst, let us verify the primary group ID value before pushing AD data. As shown in the image below, we can use\r\nthe net group command to verify and confirm that the user POC User5 is not part of the Admin group.\r\nWe will replicate the changes from the rogue domain controller to the legitimate one by executing the following\r\ncommand.\r\nlsadump::dcshadow /push\r\nLet us verify again net group command output. As you can see, the same user POC User5 will be part of the\r\nDomain Administrator group.\r\nnet group \"Domain Admins\" /domain\r\nhttps://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/\r\nPage 2 of 4\n\nIt is just as simple as shown above. Once an endpoint is a member of a domain administrator or privileged group,\r\nit gets higher privileges in the domain and can compromise the entire domain.\r\nTrickBot is an example of a modular malware that used Mimikatz’s lsadump module to collect valuable\r\ninformation and carry out attacks, such as DCSync, DCShadow, and the Kerberos Golden Ticket compromise.\r\nThe DCShadow technique can avoid detections and bypass SIEM logging mechanisms since changes from a\r\nrogue DC are not captured. The technique changes or deletes replication and other associated metadata to obstruct\r\nforensic analysis. The SentinelOne Singularity™ Identity solution detects DCShadow attacks targeting AD and\r\nidentifies suspicious user behaviors. The solution also triggers high-fidelity alerts and reports on rogue Domain\r\nControllers that can pose a serious risk to the organization’s domain information.\r\nMitigation Strategies\r\nSecurity administrators can examine what real or rogue DC is as a mitigation strategy. Delete the computer object\r\nthat is not a genuine Domain Controller. It is also important to verify the presence of computer objects in the\r\nDomain Controller OU and nTDSDSA objects in the configuration partition of the AD.\r\nThe following investigation steps can also help security administrators to mitigate DCShadow attacks.\r\nCapture network traffic and analyze the packets associated with data replication (such as calls to\r\nDrsAddEntry , DrsReplicaAdd , and especially GetNCChanges ) between DCs as well as to/from non-DC\r\nhosts.\r\nInvestigate Directory Service Replication (DRS) events 4928 and 4929 using Event Viewer on the DC.\r\nObserve Destination DRA and Source DRA distinguished name (DN) and validate the legitimate DN from\r\nhttps://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/\r\nPage 3 of 4\n\nActive Directory Users and Computers. Find out any unauthorized DRA replication between domain\r\ncontrollers.\r\nMonitor for Mimikatz command usage, for example, lsadump::dcshadow .\r\nMonitor for SPN scanning tools usage. For example, the simple command setspn -Q HTTP/* allows an\r\nattacker to find HTTP SPNs.\r\nInvestigate the usage of Kerberos Service Principal Names (SPNs). Two types of SPNs can clearly indicate\r\nDCShadow attack. A SPN is beginning with “GC/” is associated with services by computers not present in\r\nthe DC organizational unit (OU) and a SPN associated with the Directory Replication Service (DRS)\r\nRemote Protocol interface (GUID E3514235–4B06–11D1-AB04–00C04FC2DCD2).\r\nConclusion\r\nAttackers can utilize the DCShadow technique and perform more advanced attacks to establish backdoors for\r\npersistence. The organization must implement continuous monitoring solutions, regularly review system activities\r\nsuch as monitoring AD object creation/replication and alert the security team to take necessary mitigations.\r\nFor more information, please visit Singularity™ Identity.\r\nSource: https://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/\r\nhttps://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/"
	],
	"report_names": [
		"detecting-a-rogue-domain-controller-dcshadow-attack"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439009,
	"ts_updated_at": 1775826712,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1496a4d8ca0860bb12ee65bec5c064b95abab630.pdf",
		"text": "https://archive.orkl.eu/1496a4d8ca0860bb12ee65bec5c064b95abab630.txt",
		"img": "https://archive.orkl.eu/1496a4d8ca0860bb12ee65bec5c064b95abab630.jpg"
	}
}