Detections
Analytics

DCShadow

critical

Language:

Description

DCShadow is another late-stage kill chain attack that allows an attacker with privileged credentials to register a rogue domain controller in order to push arbitrary changes to a domain via domain replication (for example applying forbidden sidHistory values).

See Also

MITRE ATT&CK description

DCShadow official

DCShadow explained

Indicator Details

Name: DCShadow

Codename: I-DCShadow

Severity: Critical

MITRE ATT&CK Information:
ID: T1207
Sub-technique of: T1207
Tactic: TA0005