title: Rogue Domain Controller (T1207)
id: df00tech-t1207
status: experimental
description: "Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. Once registered, a rogue DC may inject and replicate changes into AD infrastructure for any domain object, including credentials, group memberships, and SID history. Registering a rogue DC involves creating new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (Domain or local DC) or the KRBTGT hash. This technique bypasses most SIEM sensors since changes are pushed directly via AD replication without touching standard audit paths. Mimikatz implements DCShadow via the lsadump::dcshadow module, requiring two concurrent sessions: one running as SYSTEM to register the rogue DC and stage changes, and one running as a domain admin to trigger the replication push."
references:
  - https://attack.mitre.org/techniques/T1207/
  - https://df00tech.com/detections/T1207
author: df00tech
date: 2026/04/21
tags:
  - attack.t1207
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate Domain Controller promotion (dcpromo or Add-WindowsFeature AD-Domain-Services) creates nTDSDSA objects in the Configuration partition — always correlate with approved change management tickets
  - Read-Only Domain Controller (RODC) deployment and RODC password replication policy changes generate replication source events that resemble DCShadow indicators
  - AD migration tools such as Active Directory Migration Tool (ADMT) or Quest Migration Manager that temporarily register replication partners during inter-forest or inter-domain migrations
  - Disaster recovery scenarios involving authoritative AD restore or DC rebuild from backup may produce replication source changes and SPNs resembling rogue DC activity
  - Security researchers and red teams validating DCShadow detection capabilities in authorized lab environments — verify against approved penetration testing schedules
level: critical