Possible DCShadow Attempt

Possible DCShadow Attempt
alert indicates that Active Directory replication is taking place between a domain controller (DC) and a host which is not a DC.


10 minutes
3 days
14 days
10 minutes
Traffic and Enhanced Application logs


Attackers may replicate Active Directory data to compromised domain-joined computers, by posing those computers as new domain controllers, and then use them to push malicious Active Directory content in an operation called

Attacker's Goals

Retrieve Active Directory data, in order to later be able to push out malicious Active Directory changes.

Investigative Actions

Check whether the destination is a new domain controller or a host that syncs with ADFS or Azure AD.

Recommended For You