DET0276 Detection Strategy for Rogue Domain Controller (DCShadow) Registration and Replication Abuse

Item	Value
ID	DET0276
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1207 (Rogue Domain Controller)

Analytics

Windows

AN0770

Detection of rogue Domain Controller registration and Active Directory replication abuse by correlating: (1) creation/modification of nTDSDSA and server objects in the Configuration partition, (2) unexpected usage of Directory Replication Service SPNs (GC/ or E3514235-4B06-11D1-AB04-00C04FC2DCD2), (3) replication RPC calls (DrsAddEntry, DrsReplicaAdd, GetNCChanges) originating from non-DC hosts, and (4) Kerberos authentication by non-DC machines using DRS-related SPNs. These events in combination, especially from hosts outside the Domain Controllers OU, may indicate DCShadow or rogue DC activity.

Log Sources

Data Component	Name	Channel
Active Directory Object Creation (DC0087)	WinEventLog:Security	EventCode=4928
Active Directory Credential Request (DC0084)	WinEventLog:Security	EventCode=4929
Active Directory Object Access (DC0071)	WinEventLog:Security	EventCode=4662
Active Directory Object Modification (DC0066)	m365:dirsync	Replication cookie changes involving Configuration partition with new server/nTDSDSA objects.
Network Traffic Content (DC0085)	NSM:Flow	DrsAddEntry, DrsReplicaAdd, GetNCChanges calls between non-DC and DCs.

Mutable Elements

Field	Description
TimeWindow	Window (seconds) between nTDSDSA object creation and subsequent replication traffic from same host (default 300s).
AllowedReplicationPartners	List of legitimate DCs authorized for replication to reduce false positives.
SuspiciousSPNs	SPNs indicating replication service usage (GC/, GUID E3514235-4B06-11D1-AB04-00C04FC2DCD2).
NonDCObjectCreationAlert	Trigger alerts only when AD object creation is by accounts not in Domain Admins or Enterprise Admins groups.