T1207 Splunk · SPL

Detect Rogue Domain Controller in Splunk

Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. Once registered, a rogue DC may inject and replicate changes into AD infrastructure for any domain object, including credentials, group memberships, and SID history. Registering a rogue DC involves creating new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (Domain or local DC) or the KRBTGT hash. This technique bypasses most SIEM sensors since changes are pushed directly via AD replication without touching standard audit paths. Mimikatz implements DCShadow via the lsadump::dcshadow module, requiring two concurrent sessions: one running as SYSTEM to register the rogue DC and stage changes, and one running as a domain admin to trigger the replication push.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1207 Rogue Domain Controller
Canonical reference
https://attack.mitre.org/techniques/T1207/

SPL Detection Query

Splunk (SPL)
spl 
((index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (CommandLine="*lsadump::dcshadow*" OR CommandLine="*dcshadow /push*" OR CommandLine="*dcshadow /start*"
   OR CommandLine="*dcshadow /domain*" OR CommandLine="*dcshadow /object*" OR CommandLine="*dcshadow /attribute*"))
OR
(index=wineventlog sourcetype="WinEventLog:Security" EventCode=5137
  (Message="*nTDSDSA*" OR Message="*NTDS Settings*"))
OR
(index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4928 OR EventCode=4929))
OR
(index=wineventlog sourcetype="WinEventLog:Security" EventCode=4742
  (Message="*GC/*" OR Message="*E3514235-4B06-11D1-AB04-00C04FC2DCD2*")))
| eval DetectionBranch=case(
    EventCode="1", "MimikatzDCShadow",
    EventCode="5137", "RogueDCObjectCreated",
    (EventCode="4928" OR EventCode="4929"), "ReplicationSourceChange",
    EventCode="4742", "DCLikeSPNAdded",
    true(), "Unknown")
| eval AlertReason=case(
    EventCode="1", "Mimikatz DCShadow command-line arguments detected on endpoint",
    EventCode="5137", "nTDSDSA object created in AD Configuration partition — possible rogue DC registration",
    EventCode="4928", "AD replica source naming context established — verify this is a legitimate DC",
    EventCode="4929", "AD replica source naming context removed — verify expected decommission",
    EventCode="4742", "Computer account modified with DC-like SPN (GC/ or DRSUapi UUID)",
    true(), "DCShadow indicator")
| eval TargetAccount=coalesce(User, SubjectUserName, TargetUserName)
| table _time, host, ComputerName, TargetAccount, CommandLine, EventCode, DetectionBranch, AlertReason
| sort - _time
critical severity medium confidence

Detects DCShadow rogue domain controller attacks across four detection branches using Sysmon and Windows Security event logs. Branch 1 uses Sysmon EventCode 1 (process creation) to catch Mimikatz DCShadow command-line arguments. Branches 2-4 use Windows Security events: EventCode 5137 for nTDSDSA object creation (rogue DC AD registration), EventCodes 4928/4929 for unexpected replication source changes on DCs, and EventCode 4742 for computer accounts gaining DC-specific SPNs. Security event branches require log collection from Domain Controllers. DetectionBranch and AlertReason fields are computed to guide analyst triage.

Data Sources

Process: Process CreationActive Directory: Active Directory Object CreationActive Directory: Active Directory Object ModificationSysmon Event ID 1Windows Security Event ID 5137Windows Security Event ID 4928Windows Security Event ID 4929Windows Security Event ID 4742

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • Legitimate Domain Controller promotion (dcpromo or Add-WindowsFeature AD-Domain-Services) creates nTDSDSA objects in the Configuration partition — always correlate with approved change management tickets
  • Read-Only Domain Controller (RODC) deployment and RODC password replication policy changes generate replication source events that resemble DCShadow indicators
  • AD migration tools such as Active Directory Migration Tool (ADMT) or Quest Migration Manager that temporarily register replication partners during inter-forest or inter-domain migrations
  • Disaster recovery scenarios involving authoritative AD restore or DC rebuild from backup may produce replication source changes and SPNs resembling rogue DC activity
  • Security researchers and red teams validating DCShadow detection capabilities in authorized lab environments — verify against approved penetration testing schedules
Download portable Sigma rule (.yml)

Other platforms for T1207

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate Existing DC Registrations (Baseline / Forensic Recon)

    Expected signal: Sysmon Event ID 1: powershell.exe process creation with LDAP query arguments. No directory service modification events (read-only). PowerShell ScriptBlock Log Event ID 4104 capturing the LDAP filter targeting nTDSDSA objectClass. No network connections beyond standard LDAP to port 389.

  2. Test 2DCShadow Stage Phase — Register Rogue DC (Mimikatz SYSTEM Session)

    Expected signal: Sysmon Event ID 1: mimikatz.exe process creation under NT AUTHORITY\SYSTEM context, CommandLine containing lsadump::dcshadow. Windows Security Event ID 5137 on Domain Controllers: new nTDSDSA object created under CN=Sites in the Configuration partition. Windows Security Event ID 4742: computer account of the attacking machine modified with GC/ and DRSUapi SPNs added. Sysmon Event ID 3: RPC connections from mimikatz.exe to DC on port 135 and dynamic RPC ports.

  3. Test 3DCShadow Push Phase — Trigger Replication (Mimikatz Domain Admin Session)

    Expected signal: Sysmon Event ID 1: mimikatz.exe process creation with lsadump::dcshadow /push argument. Windows Security Event ID 4928 on receiving Domain Controllers: replica source naming context established, showing the rogue DC as the source. Windows Security Event ID 5136 on DCs: attribute modification on the target AD object (description attribute). Sysmon Event ID 3: outbound RPC connections to legitimate DC IP addresses on dynamic ports.

  4. Test 4Validate Replication Topology for Rogue DC Partners

    Expected signal: Sysmon Event ID 1: repadmin.exe process creation (multiple instances for each flag). No AD modification events (read-only diagnostic). The /showconn output lists all inbound and outbound replication connections — any connection referencing an unexpected computer name or GUID identifies a rogue DC that has successfully registered in the replication topology.

Last updated: 2026-04-21 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1207 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1003.006DCSyncT1134.005SID-History InjectionT1558.001Golden TicketT1098Account ManipulationT1484.001Group Policy ModificationT1550.003Pass the TicketT1078.002Domain AccountsT1552.004Private Keys

Same Tactic: Defense Evasion

Popular Detections