Possible DCShadow Attempt

The
Possible DCShadow Attempt
alert indicates that Active Directory replication is taking place between a domain controller (DC) and a host which is not a DC.

Synopsis

10 minutes
3 days
14 days
10 minutes
Traffic and Enhanced Application logs
Severity
High

Description

Attackers may replicate Active Directory data to compromised domain-joined computers, by posing those computers as new domain controllers, and then use them to push malicious Active Directory content in an operation called
DCShadow
.

Attacker's Goals

Retrieve Active Directory data, in order to later be able to push out malicious Active Directory changes.

Investigative Actions

Check whether the destination is a new domain controller or a host that syncs with ADFS or Azure AD.

Recommended For You