EXPLORE
Sign In
← Back to Explore
T1207

Rogue Domain Controller

Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, includi...

Windows
8
Detections
2
Sources
0
Threat Actors

BY SOURCE

6splunk_escu2sigma

PROCEDURES (7)

Persist2 detections

Auto-extracted: 2 detections for persist

Service Monitoring1 detections

Auto-extracted: 1 detections for service monitoring

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Credential1 detections

Auto-extracted: 1 detections for credential

Credential1 detections

Auto-extracted: 1 detections for credential

Credential1 detections

Auto-extracted: 1 detections for credential

DETECTIONS (8)

Add or Remove Computer from DC
sigmalow
Possible DC Shadow Attack
sigmamedium
Windows AD DCShadow Privileges ACL Addition
splunk_escu
Windows AD Domain Controller Promotion
splunk_escu
Windows AD Replication Service Traffic
splunk_escu
Windows AD Rogue Domain Controller Network Activity
splunk_escu
Windows AD Short Lived Domain Controller SPN Attribute
splunk_escu
Windows AD Short Lived Server Object
splunk_escu