Detect Rogue Domain Controller in Google Chronicle
Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. Once registered, a rogue DC may inject and replicate changes into AD infrastructure for any domain object, including credentials, group memberships, and SID history. Registering a rogue DC involves creating new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (Domain or local DC) or the KRBTGT hash. This technique bypasses most SIEM sensors since changes are pushed directly via AD replication without touching standard audit paths. Mimikatz implements DCShadow via the lsadump::dcshadow module, requiring two concurrent sessions: one running as SYSTEM to register the rogue DC and stage changes, and one running as a domain admin to trigger the replication push.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1207 Rogue Domain Controller
- Canonical reference
- https://attack.mitre.org/techniques/T1207/
YARA-L Detection Query
rule T1207_Rogue_Domain_Controller {
meta:
author = "Argus Detection Engineering"
description = "Detects DCShadow / Rogue Domain Controller attacks via Mimikatz process arguments, nTDSDSA AD object creation, AD replication source changes, and DC-like SPN additions to computer accounts"
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1207"
severity = "CRITICAL"
confidence = "HIGH"
reference = "https://attack.mitre.org/techniques/T1207/"
events:
(
$e.metadata.event_type = "PROCESS_LAUNCH" and
(
re.regex($e.target.process.command_line, `(?i)lsadump::dcshadow`) or
re.regex($e.target.process.command_line, `(?i)dcshadow\s+/(push|start|domain|object|attribute)`)
)
) or
(
$e.metadata.product_event_type = "5137" and
(
re.regex($e.target.resource.name, `(?i)nTDSDSA`) or
re.regex($e.security_result.description, `(?i)NTDS\s+Settings`)
)
) or
(
$e.metadata.product_event_type = "4928" or
$e.metadata.product_event_type = "4929"
) or
(
$e.metadata.product_event_type = "4742" and
(
re.regex($e.target.resource.attribute.labels["ServicePrincipalNames"], `GC/`) or
re.regex($e.target.resource.attribute.labels["ServicePrincipalNames"], `E3514235-4B06-11D1-AB04-00C04FC2DCD2`)
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting DCShadow / Rogue Domain Controller (T1207) attacks across four parallel branches using UDM normalized event fields: Mimikatz DCShadow process arguments (PROCESS_LAUNCH events), nTDSDSA object creation in the AD Configuration partition (product event 5137), AD replication source context establishment or removal (product events 4928/4929), and computer account modification with Global Catalog or DRSUapi SPNs (product event 4742).
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Domain Controller promotion generates PROCESS_LAUNCH events for dcpromo-related binaries and product events 5137, 4928, 4929 during normal ADDS role installation — validate against asset inventory and CMDB for known DC promotion activities before escalating
- AD replication agreement creation during forest-level disaster recovery exercises or infrastructure expansion projects generates Events 4928 and 4929 on all DCs in the affected site — correlate with change management approval records
- Authorized penetration testing or purple team exercises executing Mimikatz DCShadow against non-production domains — coordinate asset tagging with red team to suppress known test host alerts during engagements
Other platforms for T1207
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate Existing DC Registrations (Baseline / Forensic Recon)
Expected signal: Sysmon Event ID 1: powershell.exe process creation with LDAP query arguments. No directory service modification events (read-only). PowerShell ScriptBlock Log Event ID 4104 capturing the LDAP filter targeting nTDSDSA objectClass. No network connections beyond standard LDAP to port 389.
- Test 2DCShadow Stage Phase — Register Rogue DC (Mimikatz SYSTEM Session)
Expected signal: Sysmon Event ID 1: mimikatz.exe process creation under NT AUTHORITY\SYSTEM context, CommandLine containing lsadump::dcshadow. Windows Security Event ID 5137 on Domain Controllers: new nTDSDSA object created under CN=Sites in the Configuration partition. Windows Security Event ID 4742: computer account of the attacking machine modified with GC/ and DRSUapi SPNs added. Sysmon Event ID 3: RPC connections from mimikatz.exe to DC on port 135 and dynamic RPC ports.
- Test 3DCShadow Push Phase — Trigger Replication (Mimikatz Domain Admin Session)
Expected signal: Sysmon Event ID 1: mimikatz.exe process creation with lsadump::dcshadow /push argument. Windows Security Event ID 4928 on receiving Domain Controllers: replica source naming context established, showing the rogue DC as the source. Windows Security Event ID 5136 on DCs: attribute modification on the target AD object (description attribute). Sysmon Event ID 3: outbound RPC connections to legitimate DC IP addresses on dynamic ports.
- Test 4Validate Replication Topology for Rogue DC Partners
Expected signal: Sysmon Event ID 1: repadmin.exe process creation (multiple instances for each flag). No AD modification events (read-only diagnostic). The /showconn output lists all inbound and outbound replication connections — any connection referencing an unexpected computer name or GUID identifies a rogue DC that has successfully registered in the replication topology.
References (10)
- https://attack.mitre.org/techniques/T1207/
- https://www.dcshadow.com/
- https://adsecurity.org/?page_id=1821
- https://github.com/shellster/DCSYNCMonitor
- https://adds-security.blogspot.fr/2018/02/detecter-dcshadow-impossible.html
- https://msdn.microsoft.com/en-us/library/ms677626.aspx
- https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump
- https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/directory-services-component-updates
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5137
Unlock Pro Content
Get the full detection package for T1207 including response playbook, investigation guide, and atomic red team tests.