Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1207: Rogue Domain Controller

Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. [1] Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.

Registering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. [2]

This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). [1] The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform SID-History Injection and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. [1]

EnterpriseT1207TechniqueObject v3.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Rogue Domain Controller is a high-risk Active Directory defense-impairment technique: an adversary with sufficient privileges may register or reuse a domain controller-like object to push unauthorized directory changes through replication. For leaders, the practical issue is not only privilege abuse; it is trust manipulation inside the identity system that can bypass normal endpoint/SIEM visibility and complicate forensics.

Executive priority

Prioritize this as an identity resilience and incident-readiness concern for Windows Active Directory environments. The key business question is whether the organization can prove which systems are legitimate domain controllers, detect unauthorized AD replication-related changes, and preserve evidence if directory metadata is altered or deleted. This matters for continuity, privileged access governance, audit evidence, and recovery confidence after a suspected domain compromise.

Technical view

SOC and IR teams should validate controls around rogue DC registration and AD replication abuse, aligned to the related ATT&CK detection strategy DET0276. The technique involves creation of server and nTDSDSA objects in the Configuration partition and may allow injected replicated changes to AD objects, credentials, keys, schemas, ACLs, and SID History. Because the ATT&CK detection field is not provided and the description notes possible SIEM/logging bypass, teams should not assume standard security monitoring is sufficient; they should test whether directory service, replication, configuration partition, and domain controller inventory evidence is collected and reviewable.

Likely telemetry

  • Active Directory configuration partition changes, including server and nTDSDSA objects
  • Domain controller inventory and registration records
  • Directory replication metadata and replication-related events
  • Changes to AD objects such as accounts, ACLs, schemas, credentials, keys, and SID History
  • Privileged account activity involving Domain Admin, local administrator on a DC, or KRBTGT-hash-related compromise indicators where locally available

Detection direction

  • Validate the related DET0276 detection strategy against local AD architecture and logging reality rather than relying on generic SIEM rules.
  • Alert on unexpected domain controller registration, inactive DC registration reuse, or unusual changes to server/nTDSDSA objects in the Configuration partition.
  • Correlate replication metadata changes with privileged administrative activity and approved change windows.
  • Tune carefully for legitimate domain controller promotion, decommissioning, disaster recovery, and directory maintenance to reduce false positives.
  • Account for blind spots: actions taken through a rogue DC may not be reported to normal sensors, and replication/metadata manipulation may obstruct forensic review.

Mitigation priorities

  • Maintain a continuously validated inventory of authorized domain controllers and expected replication topology.
  • Restrict, monitor, and regularly review privileges capable of modifying AD configuration and domain controller-related objects.
  • Protect and monitor highly privileged credentials, including Domain Admin-equivalent access and KRBTGT-related risk.
  • Require change control and independent verification for domain controller promotion, decommissioning, and AD schema/configuration changes.
  • Include rogue DC/DCShadow-style scenarios in incident response and AD recovery exercises, with emphasis on evidence preservation and trusted directory restoration.
Analyst notes and limits

The supplied ATT&CK object places this technique under defense impairment on Windows and links it to Mimikatz as software that uses the technique. The object also references SID-History Injection and persistence-style AD object manipulation in its description, but this take avoids expanding beyond the provided technique details. For Glexia services, the strongest validation areas are identity security assessment, managed detection engineering, AD incident response readiness, and audit evidence for privileged change control.

MITRE did not provide an official detection section for this technique in the supplied fields. The object supports risk and validation guidance for Windows Active Directory, but local telemetry, AD design, change-management practices, and logging configuration are required to determine actual exposure or detection coverage. No active exploitation, attribution, or customer impact is implied.

Official MITRE ATT&CK definition

Rogue Domain Controller

Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. [1] Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.

Registering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. [2]

This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). [1] The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform SID-History Injection and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Tool Enterprise

S0002: Mimikatz

Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. [1] [2]

Windows
Relationship explorer

All related ATT&CK context

uses · Tool S0002: Mimikatz Enterprise detects · Detection Strategy DET0276: Detection Strategy for Rogue Domain Controller (DCShadow) Registration and Replication Abuse Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
3.0
Created
Modified
Raw hash
376dc84919e2d775...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 3.0 Current bundle 376dc84919e2…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    DCShadow Blog

    Delpy, B. & LE TOUX, V. (n.d.). DCShadow. Retrieved March 20, 2018.

    Open source URL
  2. [2]
    Adsecurity Mimikatz Guide

    Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015.

    Open source URL
  3. [3]
    mitre-attack T1207
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use