T1207

Rogue Domain Controller

Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. Once registered, a rogue DC may inject and replicate changes into AD infrastructure for any domain object, including credentials, group memberships, and SID history. Registering a rogue DC involves creating new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (Domain or local DC) or the KRBTGT hash. This technique bypasses most SIEM sensors since changes are pushed directly via AD replication without touching standard audit paths. Mimikatz implements DCShadow via the lsadump::dcshadow module, requiring two concurrent sessions: one running as SYSTEM to register the rogue DC and stage changes, and one running as a domain admin to trigger the replication push.

Microsoft Sentinel / Defender

kusto

// Detect DCShadow / Rogue Domain Controller attacks via four parallel detection branches
// Branch 1: Mimikatz DCShadow command-line arguments (MDE process telemetry)
let MimikatzDCShadow = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("lsadump::dcshadow", "dcshadow /push", "dcshadow /start", "dcshadow /domain", "dcshadow /object", "dcshadow /attribute")
    or (FileName =~ "mimikatz.exe" and ProcessCommandLine has "dcshadow")
| extend DetectionBranch = "MimikatzDCShadow",
         AlertReason = "Mimikatz DCShadow command-line arguments detected on endpoint"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch, AlertReason;
// Branch 2: Rogue DC registration — nTDSDSA object created in AD Configuration partition
// Requires: Security Events connector collecting from Domain Controllers
let RogueDCRegistration = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 5137
| where EventData has "nTDSDSA" or EventData has "NTDS Settings"
| extend DetectionBranch = "RogueDCObjectCreated",
         AlertReason = "nTDSDSA object created in AD Configuration partition — possible rogue DC registration"
| project TimeGenerated as Timestamp, Computer as DeviceName, SubjectUserName as AccountName,
         tostring(EventData), DetectionBranch, AlertReason;
// Branch 3: Unexpected AD replication source established or removed on Domain Controllers
let ReplicationSourceChange = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (4928, 4929)
| extend DetectionBranch = "ReplicationSourceChange",
         AlertReason = iff(EventID == 4928,
             "AD replica source naming context established — verify this is a legitimate DC",
             "AD replica source naming context removed — verify expected decommission")
| project TimeGenerated as Timestamp, Computer as DeviceName, SubjectUserName as AccountName,
         tostring(EventData), DetectionBranch, AlertReason;
// Branch 4: Computer account gaining DC-specific SPNs (rogue DC SPN registration)
let DCLikeSPNAdded = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4742
| where EventData has "GC/" or EventData has "E3514235-4B06-11D1-AB04-00C04FC2DCD2"
| extend DetectionBranch = "DCLikeSPNAdded",
         AlertReason = "Computer account modified with Global Catalog or DRSUapi SPN — possible rogue DC SPN registration"
| project TimeGenerated as Timestamp, Computer as DeviceName, SubjectUserName as AccountName,
         tostring(EventData), DetectionBranch, AlertReason;
union MimikatzDCShadow, RogueDCRegistration, ReplicationSourceChange, DCLikeSPNAdded
| sort by Timestamp desc

critical severity medium confidence

Data Sources

Process: Process Creation Active Directory: Active Directory Object Creation Active Directory: Active Directory Object Modification User Account: User Account Modification Microsoft Defender for Endpoint Windows Security Event Log (Domain Controllers)

Required Tables

DeviceProcessEvents SecurityEvent

False Positives

Legitimate Domain Controller promotion (dcpromo or Add-WindowsFeature AD-Domain-Services) creates nTDSDSA objects in the Configuration partition — always correlate with approved change management tickets
Read-Only Domain Controller (RODC) deployment and RODC password replication policy changes generate replication source events that resemble DCShadow indicators
AD migration tools such as Active Directory Migration Tool (ADMT) or Quest Migration Manager that temporarily register replication partners during inter-forest or inter-domain migrations
Disaster recovery scenarios involving authoritative AD restore or DC rebuild from backup may produce replication source changes and SPNs resembling rogue DC activity
Security researchers and red teams validating DCShadow detection capabilities in authorized lab environments — verify against approved penetration testing schedules

Splunk

spl

((index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (CommandLine="*lsadump::dcshadow*" OR CommandLine="*dcshadow /push*" OR CommandLine="*dcshadow /start*"
   OR CommandLine="*dcshadow /domain*" OR CommandLine="*dcshadow /object*" OR CommandLine="*dcshadow /attribute*"))
OR
(index=wineventlog sourcetype="WinEventLog:Security" EventCode=5137
  (Message="*nTDSDSA*" OR Message="*NTDS Settings*"))
OR
(index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4928 OR EventCode=4929))
OR
(index=wineventlog sourcetype="WinEventLog:Security" EventCode=4742
  (Message="*GC/*" OR Message="*E3514235-4B06-11D1-AB04-00C04FC2DCD2*")))
| eval DetectionBranch=case(
    EventCode="1", "MimikatzDCShadow",
    EventCode="5137", "RogueDCObjectCreated",
    (EventCode="4928" OR EventCode="4929"), "ReplicationSourceChange",
    EventCode="4742", "DCLikeSPNAdded",
    true(), "Unknown")
| eval AlertReason=case(
    EventCode="1", "Mimikatz DCShadow command-line arguments detected on endpoint",
    EventCode="5137", "nTDSDSA object created in AD Configuration partition — possible rogue DC registration",
    EventCode="4928", "AD replica source naming context established — verify this is a legitimate DC",
    EventCode="4929", "AD replica source naming context removed — verify expected decommission",
    EventCode="4742", "Computer account modified with DC-like SPN (GC/ or DRSUapi UUID)",
    true(), "DCShadow indicator")
| eval TargetAccount=coalesce(User, SubjectUserName, TargetUserName)
| table _time, host, ComputerName, TargetAccount, CommandLine, EventCode, DetectionBranch, AlertReason
| sort - _time

critical severity medium confidence

Data Sources

Process: Process Creation Active Directory: Active Directory Object Creation Active Directory: Active Directory Object Modification Sysmon Event ID 1 Windows Security Event ID 5137 Windows Security Event ID 4928 Windows Security Event ID 4929 Windows Security Event ID 4742

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Legitimate Domain Controller promotion (dcpromo or Add-WindowsFeature AD-Domain-Services) creates nTDSDSA objects in the Configuration partition — always correlate with approved change management tickets
Read-Only Domain Controller (RODC) deployment and RODC password replication policy changes generate replication source events that resemble DCShadow indicators
AD migration tools such as Active Directory Migration Tool (ADMT) or Quest Migration Manager that temporarily register replication partners during inter-forest or inter-domain migrations
Disaster recovery scenarios involving authoritative AD restore or DC rebuild from backup may produce replication source changes and SPNs resembling rogue DC activity
Security researchers and red teams validating DCShadow detection capabilities in authorized lab environments — verify against approved penetration testing schedules

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  username,
  sourceip,
  "EventID",
  CASE
    WHEN "EventID" = '1'              THEN 'MimikatzDCShadow'
    WHEN "EventID" = '5137'           THEN 'RogueDCObjectCreated'
    WHEN "EventID" IN ('4928','4929') THEN 'ReplicationSourceChange'
    WHEN "EventID" = '4742'           THEN 'DCLikeSPNAdded'
    ELSE 'DCShadowIndicator'
  END AS DetectionBranch,
  CASE
    WHEN "EventID" = '1'    THEN 'Mimikatz DCShadow command-line arguments detected on endpoint'
    WHEN "EventID" = '5137' THEN 'nTDSDSA object created in AD Configuration partition - possible rogue DC registration'
    WHEN "EventID" = '4928' THEN 'AD replica source naming context established - verify this is a legitimate DC'
    WHEN "EventID" = '4929' THEN 'AD replica source naming context removed - verify expected decommission'
    WHEN "EventID" = '4742' THEN 'Computer account modified with Global Catalog or DRSUapi SPN'
    ELSE 'DCShadow indicator'
  END AS AlertReason,
  payload
FROM events
WHERE
  (
    (
      "EventID" = '1'
      AND (
        payload ILIKE '%lsadump::dcshadow%'
        OR payload ILIKE '%dcshadow /push%'
        OR payload ILIKE '%dcshadow /start%'
        OR payload ILIKE '%dcshadow /domain%'
        OR payload ILIKE '%dcshadow /object%'
        OR payload ILIKE '%dcshadow /attribute%'
      )
    )
    OR (
      "EventID" = '5137'
      AND (payload ILIKE '%nTDSDSA%' OR payload ILIKE '%NTDS Settings%')
    )
    OR "EventID" IN ('4928', '4929')
    OR (
      "EventID" = '4742'
      AND (
        payload ILIKE '%GC/%'
        OR payload ILIKE '%E3514235-4B06-11D1-AB04-00C04FC2DCD2%'
      )
    )
  )
LAST 24 HOURS
ORDER BY starttime DESC

critical severity high confidence

Data Sources

IBM QRadar WinCollect (Windows Security Event Log) Sysmon via WinCollect agent Microsoft Windows DSM

Required Tables

events

False Positives

DC promotion and demotion via Server Manager or Install-ADDSDomainController PowerShell cmdlet generates Events 4928, 4929, and 5137 during normal ADDS role installation — cross-reference with CMDB and approved change records for planned promotions before triaging
AD forest or domain consolidation projects using ADMT or Quest tools that perform replication-like object transfers between domains, triggering unexpected 5137 and 4742 events during inter-forest migrations
Security scanning and AD enumeration tools such as PingCastle or ADRecon querying the Configuration partition may generate object access events — these should not create nTDSDSA objects but can produce 5137 events if schema modifications occur during scanning

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*wineventlog*)
(EventCode=1 OR EventCode=5137 OR EventCode=4928 OR EventCode=4929 OR EventCode=4742)
| where
  (EventCode = "1" and
    (CommandLine contains "lsadump::dcshadow"
     or CommandLine contains "dcshadow /push"
     or CommandLine contains "dcshadow /start"
     or CommandLine contains "dcshadow /domain"
     or CommandLine contains "dcshadow /object"
     or CommandLine contains "dcshadow /attribute"))
  or (EventCode = "5137" and
    (Message contains "nTDSDSA" or Message contains "NTDS Settings"))
  or (EventCode = "4928")
  or (EventCode = "4929")
  or (EventCode = "4742" and
    (Message contains "GC/" or Message contains "E3514235-4B06-11D1-AB04-00C04FC2DCD2"))
| eval DetectionBranch = if(EventCode = "1", "MimikatzDCShadow",
    if(EventCode = "5137", "RogueDCObjectCreated",
      if(EventCode = "4928" or EventCode = "4929", "ReplicationSourceChange",
        "DCLikeSPNAdded")))
| eval AlertReason = if(EventCode = "1",
    "Mimikatz DCShadow command-line arguments detected on endpoint",
    if(EventCode = "5137",
      "nTDSDSA object created in AD Configuration partition - possible rogue DC registration",
      if(EventCode = "4928",
        "AD replica source naming context established - verify this is a legitimate DC",
        if(EventCode = "4929",
          "AD replica source naming context removed - verify expected decommission",
          "Computer account modified with DC-like SPN (GC/ or DRSUapi UUID)"))))
| fields _messageTime, _sourceHost, ComputerName, UserName, SubjectUserName, CommandLine, EventCode, DetectionBranch, AlertReason
| sort by _messageTime desc

critical severity high confidence

Data Sources

Sumo Logic Installed Collector (Windows Event Log source) Sysmon via Sumo Logic Collector agent Windows Security Event Log forwarded via Sumo Logic Agent

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon* _sourceCategory=*wineventlog*

False Positives

Domain Controller promotion generates Events 5137, 4928, and 4929 during ADDS role installation — suppress alerts for known DC promotion maintenance windows by implementing scheduled view exclusions or field extraction filters on known DC hostnames during approved change windows
AD replication topology reconfiguration by domain admins during disaster recovery drills or site restructuring generates Events 4928 and 4929 on all DCs in affected AD sites
Authorized red team exercises running Mimikatz DCShadow module against isolated lab environments — implement suppression by source host exclusion for approved red team asset names in the detection rule

Google Chronicle / SecOps

yaral

rule T1207_Rogue_Domain_Controller {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects DCShadow / Rogue Domain Controller attacks via Mimikatz process arguments, nTDSDSA AD object creation, AD replication source changes, and DC-like SPN additions to computer accounts"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1207"
    severity = "CRITICAL"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1207/"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      (
        re.regex($e.target.process.command_line, `(?i)lsadump::dcshadow`) or
        re.regex($e.target.process.command_line, `(?i)dcshadow\s+/(push|start|domain|object|attribute)`)
      )
    ) or
    (
      $e.metadata.product_event_type = "5137" and
      (
        re.regex($e.target.resource.name, `(?i)nTDSDSA`) or
        re.regex($e.security_result.description, `(?i)NTDS\s+Settings`)
      )
    ) or
    (
      $e.metadata.product_event_type = "4928" or
      $e.metadata.product_event_type = "4929"
    ) or
    (
      $e.metadata.product_event_type = "4742" and
      (
        re.regex($e.target.resource.attribute.labels["ServicePrincipalNames"], `GC/`) or
        re.regex($e.target.resource.attribute.labels["ServicePrincipalNames"], `E3514235-4B06-11D1-AB04-00C04FC2DCD2`)
      )
    )

  condition:
    $e
}

critical severity high confidence

Data Sources

Chronicle Windows sensor (Security Event Log ingestion) Microsoft Defender for Endpoint via Chronicle integration Active Directory Audit Logs via Chronicle ingestion pipeline

Required Tables

MICROSOFT_WINDOWS WINDOWS_ACTIVE_DIRECTORY CS_EDR

False Positives

Legitimate Domain Controller promotion generates PROCESS_LAUNCH events for dcpromo-related binaries and product events 5137, 4928, 4929 during normal ADDS role installation — validate against asset inventory and CMDB for known DC promotion activities before escalating
AD replication agreement creation during forest-level disaster recovery exercises or infrastructure expansion projects generates Events 4928 and 4929 on all DCs in the affected site — correlate with change management approval records
Authorized penetration testing or purple team exercises executing Mimikatz DCShadow against non-production domains — coordinate asset tagging with red team to suppress known test host alerts during engagements

CrowdStrike LogScale (CQL)

cql

union(
  {
    #event_simpleName=ProcessRollup2
    | CommandLine=/(?i)(lsadump::dcshadow|dcshadow\s+\/(push|start|domain|object|attribute))/
    | DetectionBranch:="MimikatzDCShadow"
    | AlertReason:="Mimikatz DCShadow command-line arguments detected on endpoint"
  },
  {
    EventID=5137
    | Message=/nTDSDSA|NTDS\s+Settings/
    | DetectionBranch:="RogueDCObjectCreated"
    | AlertReason:="nTDSDSA object created in AD Configuration partition - possible rogue DC registration"
  },
  {
    EventID in (4928, 4929)
    | case {
        EventID=4928
          | DetectionBranch:="ReplicationSourceEstablished"
          | AlertReason:="AD replica source naming context established - verify this is a legitimate DC" ;
        EventID=4929
          | DetectionBranch:="ReplicationSourceRemoved"
          | AlertReason:="AD replica source naming context removed - verify expected decommission" ;
        *
          | DetectionBranch:="ReplicationSourceChange"
          | AlertReason:="AD replication source change detected" ;
      }
  },
  {
    EventID=4742
    | Message=/GC\/|E3514235-4B06-11D1-AB04-00C04FC2DCD2/
    | DetectionBranch:="DCLikeSPNAdded"
    | AlertReason:="Computer account modified with Global Catalog or DRSUapi SPN - possible rogue DC registration"
  }
)
| table([_time, ComputerName, UserName, CommandLine, EventID, DetectionBranch, AlertReason])
| sort(field=_time, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2 events) Windows Security Event Log via Falcon LogScale Collector CrowdStrike Falcon Identity Protection (AD event telemetry)

Required Tables

ProcessRollup2 Windows Security Event Log forwarded via Falcon LogScale Collector

False Positives

Legitimate DC promotion via Install-ADDSDomainController or Server Manager generates ProcessRollup2 events for Windows setup binaries and Security Events 5137, 4928, 4929 — baseline known DC hostnames in ComputerName and filter against CMDB before triaging
AD migration tooling such as Microsoft ADMT generating computer account modifications (Event 4742) with temporary SPNs during cross-forest or cross-domain object migration operations
Authorized red team or purple team operations using Mimikatz DCShadow — implement asset tagging on known red team systems and exclude those ComputerName values from production alerting dashboards during engagement windows

Last updated: 2026-04-21 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1207 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Rogue Domain Controller

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Defense Evasion

Popular Detections