This note documents detection patterns related to DCShadow within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4742 | Computer account changed | High | Attackers may modify attributes of a computer account when registering a rogue domain controller during DCShadow operations. |
| Security | 5136 | Directory object modified | Critical | DCShadow modifies AD objects directly via replication. Review AttributeLDAPDisplayName, ObjectDN, and SubjectUserName. |
| Security | 4672 | Special privileges assigned | High | Attackers often require Domain Admin or equivalent privileges before performing DCShadow. |
| Security | 4624 | Successful logon | High | Administrative logon preceding DCShadow operation. |
| Security | 4688 | Process creation | High | May reveal execution of mimikatz with DCShadow modules. |
| Sysmon | 1 | Process creation | Critical | Execution of mimikatz or other tooling enabling DCShadow attack. |
| Sysmon | 3 | Network connection | Medium | Suspicious RPC communication between host and domain controllers. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Rogue domain controller registration | Temporary domain controller objects appearing in AD | Critical | DCShadow simulates a rogue DC for replication operations. |
| Unusual AD attribute modifications | Changes to sensitive attributes like admin privileges or password hashes | High | Attackers may inject privileges or persistence mechanisms. |
| Replication operations from non-DC host | Replication traffic initiated by workstation or server | Critical | Strong indicator of DCShadow. |
| Mimikatz execution | Command line containing lsadump::dcshadow | High | Direct evidence of attack tooling. |
| Persistence artifacts | Backdoored accounts or modified ACLs | High | Often used to maintain domain persistence. |
Common Tools
| Tool | Usage |
|---|---|
| Mimikatz | Implements DCShadow to push malicious replication changes to domain controllers. |
| Cobalt Strike | Used to execute Mimikatz modules remotely. |
| PowerShell | Used to stage and execute credential manipulation scripts. |
Relevant Artifacts
- Windows Security logs (4742, 5136, 4624, 4672, 4688)
- Directory Service logs
- Sysmon logs (1, 3)
- AD replication metadata
- EDR telemetry showing suspicious administrative tools
- Network traffic between compromised host and domain controllers
- Attribute modification records within AD objects
- New
nTDSDSAobject - Appended a global catalog
ServicePrincipalNameto the computer object
MITRE ATT&CK References
- T1207 DCShadow
- T1098 Account Manipulation
- T1078 Valid Accounts
- T1484 Domain Policy Modification
Decision Tree
- Is the suspicious event present?
- Look for Event 5136 modifications involving privileged attributes.
- What host generated the event?
- Determine whether modifications originated from a non-domain-controller host.
- Is the account expected to perform this action?
- Only domain controllers and authorized admins normally perform replication modifications.
- Pivot:
- Source host → inspect executed processes and administrative tools.
- Account → review privilege assignments and group membership.
- Network → inspect replication traffic patterns.
- Confirm exploitation
- Determine whether attacker modified privileges or persistence mechanisms.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 5136
| where AttributeLDAPDisplayName contains "admin"
| project TimeGenerated, SubjectUserName, ObjectDN, AttributeLDAPDisplayName
SecurityEvent
| where EventID == 4742
| project TimeGenerated, TargetUserName, SubjectUserName
EQL
any where event.code == "5136"
Sigma
title: Possible DCShadow Attack
id: dcshadow-detection
status: experimental
description: Detects suspicious Active Directory object modifications that may indicate DCShadow
logsource:
product: windows
service: security
detection:
selection:
EventID: 5136
condition: selection
fields:
- SubjectUserName
- ObjectDN
- AttributeLDAPDisplayName
falsepositives:
- Legitimate directory modifications by administrators
level: high
tags:
- attack.persistence
- attack.t1207
Splunk
PKINIT Logons
index=main source="WinEventLog:Security" EventCode=4768 Pre_Authentication_Type=16
| stats count values(user) as Users values(src_ip) as SourceIPs values(Ticket_Encryption_Type) as Encryption by user
| sort - count
Unexpected PKINIT by Non-Smartcard User
index=main source="WinEventLog:Security" EventCode=4768 Pre_Authentication_Type=16
| search user!=*$
| stats count values(src_ip) as SourceIPs values(TargetUserName) as TargetUsers by user
| where count > 1
Detect msDS-KeyCredentialLink Modification
index=main source="WinEventLog:Security" EventCode=5136
| search AttributeLDAPDisplayName="msDS-KeyCredentialLink"
| table _time SubjectUserName ObjectDN AttributeLDAPDisplayName AttributeValue
# Hunt Global Catalog SPNS
index=main earliest=1690623888 latest=1690623890 EventCode=4742
| rex field=Message "(?P<gcspn>GC\/[a-zA-Z0-9\.\-\/]+)"
| table _time, ComputerName, Security_ID, Account_Name, user, gcspn
| search gcspn=*
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Privileged access control | Restrict Domain Admin and replication privileges | High | Limits ability to perform DCShadow. |
| AD monitoring | Alert on unusual directory attribute modifications | High | Detects unauthorized changes to AD objects. |
| Network monitoring | Monitor replication traffic between hosts | Medium | Detects rogue replication activity. |
| Administrative auditing | Track administrative command execution | High | Provides visibility into misuse of administrative tools. |
| Security baselines | Regularly audit AD objects and ACLs | High | Detects unauthorized persistence mechanisms. |