Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0770: Analytic 0770

Detection of rogue Domain Controller registration and Active Directory replication abuse by correlating: (1) creation/modification of nTDSDSA and server objects in the Configuration partition, (2) unexpected usage of Directory Replication Service SPNs (GC/ or E3514235-4B06-11D1-AB04-00C04FC2DCD2), (3) replication RPC calls (DrsAddEntry, DrsReplicaAdd, GetNCChanges) originating from non-DC hosts, and (4) Kerberos authentication by non-DC machines using DRS-related SPNs. These events in combination, especially from hosts outside the Domain Controllers OU, may indicate DCShadow or rogue DC activity.

EnterpriseAN0770AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN0770 is a Windows Active Directory detection analytic focused on identifying signs that a non-standard system may be registering as a Domain Controller or abusing directory replication behavior. For leaders, the value is not just spotting a technical anomaly; it is validating whether the organization can see changes to core AD configuration, unusual replication activity, and Kerberos use that could undermine identity trust and incident containment decisions.

Executive priority

Prioritize this analytic where Active Directory is a critical identity control plane. Rogue Domain Controller or replication-abuse indicators can affect business continuity, privileged access assurance, compliance evidence, and incident response confidence. Executives should ask whether SOC and identity teams can prove they monitor Domain Controller object changes, replication RPC activity, and DRS-related Kerberos authentication from unexpected hosts, especially outside the Domain Controllers OU.

Technical view

The supplied ATT&CK analytic describes correlation across four evidence areas: creation or modification of nTDSDSA and server objects in the Configuration partition; unexpected use of Directory Replication Service SPNs such as GC/ or E3514235-4B06-11D1-AB04-00C04FC2DCD2; replication RPC calls including DrsAddEntry, DrsReplicaAdd, and GetNCChanges from non-DC hosts; and Kerberos authentication by non-DC machines using DRS-related SPNs. SOC and detection engineering teams should validate that these sources can be joined by host, account, object, OU placement, and time window. Because no tactic or separate detection logic is supplied, implementation should be treated as a correlation design rather than a complete rule.

Likely telemetry

  • Active Directory Configuration partition object change events for nTDSDSA and server objects
  • Directory Replication Service SPN usage, including GC/ and E3514235-4B06-11D1-AB04-00C04FC2DCD2
  • Replication RPC activity such as DrsAddEntry, DrsReplicaAdd, and GetNCChanges
  • Kerberos authentication events involving DRS-related SPNs
  • Asset and directory context identifying authorized Domain Controllers and hosts in or outside the Domain Controllers OU

Detection direction

  • Validate that AD object change monitoring covers the Configuration partition, not only user and group changes.
  • Tune correlation around non-DC hosts, unexpected OU placement, and DRS-related SPN use rather than alerting on any single event in isolation.
  • Confirm that RPC and Kerberos telemetry can be associated with machine identity and authorized Domain Controller inventory.
  • Review expected administrative or infrastructure workflows that may create false positives before escalating.
  • Use the analytic as identity-control-plane coverage validation because the official detection field is not provided.

Mitigation priorities

  • Maintain an authoritative inventory of Domain Controllers and expected Domain Controllers OU membership.
  • Restrict and review permissions that allow creation or modification of sensitive AD configuration objects.
  • Harden monitoring around replication-related authentication and RPC activity from non-DC systems.
  • Ensure incident response playbooks include validation of AD configuration integrity when rogue DC or replication-abuse signals appear.
  • Preserve audit evidence for AD configuration changes and authentication activity to support compliance and post-incident review.
Analyst notes and limits

This take is based on MITRE ATT&CK detection analytic AN0770 in the enterprise-attack domain, version 1.0, for Windows. No relationship context, tactics, aliases, or separate official detection logic were supplied. The strongest defensive use is as a correlation and coverage-validation pattern for Active Directory monitoring.

The object does not provide full detection logic, data source mappings, tactics, relationships, or mitigation references. Local AD architecture, authorized Domain Controller inventory, logging configuration, and normal administrative workflows are required to determine severity and reduce false positives.

Official MITRE ATT&CK definition

Analytic 0770

Detection of rogue Domain Controller registration and Active Directory replication abuse by correlating: (1) creation/modification of nTDSDSA and server objects in the Configuration partition, (2) unexpected usage of Directory Replication Service SPNs (GC/ or E3514235-4B06-11D1-AB04-00C04FC2DCD2), (3) replication RPC calls (DrsAddEntry, DrsReplicaAdd, GetNCChanges) originating from non-DC hosts, and (4) Kerberos authentication by non-DC machines using DRS-related SPNs. These events in combination, especially from hosts outside the Domain Controllers OU, may indicate DCShadow or rogue DC activity.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
2af6fac625edecb6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 2af6fac625ed…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0770
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use