Which SIEM platforms have a T1207 detection rule?

df00tech provides T1207 (Rogue Domain Controller) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Rogue Domain Controller (T1207)?

Detecting Rogue Domain Controller requires the following data sources: Process: Process Creation, Active Directory: Active Directory Object Creation, Active Directory: Active Directory Object Modification, User Account: User Account Modification, Microsoft Defender for Endpoint, Windows Security Event Log (Domain Controllers).

What severity and confidence is the T1207 detection?

The T1207 detection is rated critical severity with medium confidence.

What are common false positives for T1207?

Common false positives for T1207 include: Legitimate Domain Controller promotion (dcpromo or Add-WindowsFeature AD-Domain-Services) creates nTDSDSA objects in the Configuration partition — always correlate with approved change management tickets; Read-Only Domain Controller (RODC) deployment and RODC password replication policy changes generate replication source events that resemble DCShadow indicators; AD migration tools such as Active Directory Migration Tool (ADMT) or Quest Migration Manager that temporarily register replication partners during inter-forest or inter-domain migrations.

T1207 CrowdStrike LogScale · LogScale

Detect Rogue Domain Controller in CrowdStrike LogScale

Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. Once registered, a rogue DC may inject and replicate changes into AD infrastructure for any domain object, including credentials, group memberships, and SID history. Registering a rogue DC involves creating new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (Domain or local DC) or the KRBTGT hash. This technique bypasses most SIEM sensors since changes are pushed directly via AD replication without touching standard audit paths. Mimikatz implements DCShadow via the lsadump::dcshadow module, requiring two concurrent sessions: one running as SYSTEM to register the rogue DC and stage changes, and one running as a domain admin to trigger the replication push.

MITRE ATT&CK

Tactic: Defense Evasion
Technique: T1207 Rogue Domain Controller
Canonical reference: https://attack.mitre.org/techniques/T1207/

LogScale Detection Query

CrowdStrike LogScale (LogScale)

cql

union(
  {
    #event_simpleName=ProcessRollup2
    | CommandLine=/(?i)(lsadump::dcshadow|dcshadow\s+\/(push|start|domain|object|attribute))/
    | DetectionBranch:="MimikatzDCShadow"
    | AlertReason:="Mimikatz DCShadow command-line arguments detected on endpoint"
  },
  {
    EventID=5137
    | Message=/nTDSDSA|NTDS\s+Settings/
    | DetectionBranch:="RogueDCObjectCreated"
    | AlertReason:="nTDSDSA object created in AD Configuration partition - possible rogue DC registration"
  },
  {
    EventID in (4928, 4929)
    | case {
        EventID=4928
          | DetectionBranch:="ReplicationSourceEstablished"
          | AlertReason:="AD replica source naming context established - verify this is a legitimate DC" ;
        EventID=4929
          | DetectionBranch:="ReplicationSourceRemoved"
          | AlertReason:="AD replica source naming context removed - verify expected decommission" ;
        *
          | DetectionBranch:="ReplicationSourceChange"
          | AlertReason:="AD replication source change detected" ;
      }
  },
  {
    EventID=4742
    | Message=/GC\/|E3514235-4B06-11D1-AB04-00C04FC2DCD2/
    | DetectionBranch:="DCLikeSPNAdded"
    | AlertReason:="Computer account modified with Global Catalog or DRSUapi SPN - possible rogue DC registration"
  }
)
| table([_time, ComputerName, UserName, CommandLine, EventID, DetectionBranch, AlertReason])
| sort(field=_time, order=desc)

critical severity high confidence

CrowdStrike LogScale (CQL) query detecting DCShadow / Rogue Domain Controller (T1207) attacks across four branches. Branch 1 uses Falcon EDR ProcessRollup2 events to detect Mimikatz DCShadow command-line arguments. Branches 2-4 require Windows Security Event Log collection via Falcon LogScale Collector, detecting nTDSDSA object creation (Event 5137), AD replication source context changes (Events 4928/4929), and computer account modification with DC-like Global Catalog or DRSUapi SPNs (Event 4742).

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2 events)Windows Security Event Log via Falcon LogScale CollectorCrowdStrike Falcon Identity Protection (AD event telemetry)

Required Tables

ProcessRollup2Windows Security Event Log forwarded via Falcon LogScale Collector

False Positives & Tuning

Legitimate DC promotion via Install-ADDSDomainController or Server Manager generates ProcessRollup2 events for Windows setup binaries and Security Events 5137, 4928, 4929 — baseline known DC hostnames in ComputerName and filter against CMDB before triaging
AD migration tooling such as Microsoft ADMT generating computer account modifications (Event 4742) with temporary SPNs during cross-forest or cross-domain object migration operations
Authorized red team or purple team operations using Mimikatz DCShadow — implement asset tagging on known red team systems and exclude those ComputerName values from production alerting dashboards during engagement windows

Download portable Sigma rule (.yml)

Other platforms for T1207

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Enumerate Existing DC Registrations (Baseline / Forensic Recon)
Expected signal: Sysmon Event ID 1: powershell.exe process creation with LDAP query arguments. No directory service modification events (read-only). PowerShell ScriptBlock Log Event ID 4104 capturing the LDAP filter targeting nTDSDSA objectClass. No network connections beyond standard LDAP to port 389.
Test 2DCShadow Stage Phase — Register Rogue DC (Mimikatz SYSTEM Session)
Expected signal: Sysmon Event ID 1: mimikatz.exe process creation under NT AUTHORITY\SYSTEM context, CommandLine containing lsadump::dcshadow. Windows Security Event ID 5137 on Domain Controllers: new nTDSDSA object created under CN=Sites in the Configuration partition. Windows Security Event ID 4742: computer account of the attacking machine modified with GC/ and DRSUapi SPNs added. Sysmon Event ID 3: RPC connections from mimikatz.exe to DC on port 135 and dynamic RPC ports.
Test 3DCShadow Push Phase — Trigger Replication (Mimikatz Domain Admin Session)
Expected signal: Sysmon Event ID 1: mimikatz.exe process creation with lsadump::dcshadow /push argument. Windows Security Event ID 4928 on receiving Domain Controllers: replica source naming context established, showing the rogue DC as the source. Windows Security Event ID 5136 on DCs: attribute modification on the target AD object (description attribute). Sysmon Event ID 3: outbound RPC connections to legitimate DC IP addresses on dynamic ports.
Test 4Validate Replication Topology for Rogue DC Partners
Expected signal: Sysmon Event ID 1: repadmin.exe process creation (multiple instances for each flag). No AD modification events (read-only diagnostic). The /showconn output lists all inbound and outbound replication connections — any connection referencing an unexpected computer name or GUID identifies a rogue DC that has successfully registered in the replication topology.

Last updated: 2026-04-21 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1207 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Related Techniques

T1003.006DCSync T1134.005SID-History Injection T1558.001Golden Ticket T1098Account Manipulation T1484.001Group Policy Modification T1550.003Pass the Ticket T1078.002Domain Accounts T1552.004Private Keys

Detect Rogue Domain Controller in CrowdStrike LogScale

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1207

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1207

Testing Methodology

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox