Query Details
RULE 16 AD DC Shadow Rogue DC Object
Query
// =========================================================
// RULE-16 | AD-DCShadow-Rogue-DC-Object
// Description : DCShadow rogue Domain Controller detection —
// Event 5137 (Directory Service Object Created)
// showing creation of an nTDSDSA object (the
// class that identifies a Domain Controller) in
// the Configuration Naming Context
// (CN=Sites,CN=Configuration,DC=...) from a
// machine that is NOT an existing DC.
// DCShadow registers a temporary rogue DC to
// push arbitrary AD replication updates
// (modify ACLs, group memberships, SID History)
// without leaving standard LDAP audit trails.
// Severity : Critical (any nTDSDSA creation by non-DC)
// Frequency : Every 15 minutes, look-back 15 minutes
// MITRE : T1207 — Rogue Domain Controller
// Tables : SecurityEvent
// =========================================================
let LookBack = 15m;
// Known legitimate DCs
let KnownDCNames = SecurityEvent
| where TimeGenerated > ago(3d)
| where EventID == 4768
| summarize by DC = toupper(Computer);
SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID == 5137 // DS Object Created
| where ObjectClass =~ "nTDSDSA"
or (ObjectClass =~ "server"
and ObjectDN has "CN=Sites")
or ObjectDN has "nTDSDSA"
| extend
CreatorAccount = strcat(SubjectDomainName, "\\", SubjectUserName),
NewObject = ObjectDN,
IsFromKnownDC = (toupper(Computer) in~ (KnownDCNames))
// Legitimate DC promotion writes come from the new DC itself
// or from existing DCs — flag anything else
| where not(IsFromKnownDC)
or not(SubjectUserName endswith "$") // Machine account = suspicious
| extend
Severity = "Critical",
WhySuspicious = strcat(
"DCShadow_Rogue_nTDSDSA_Object_Created; ",
iff(not(IsFromKnownDC), "NotFromKnownDC; ", "UnexpectedMachineAccount; "),
"NewObject: ", NewObject, "; ",
"Creator: ", CreatorAccount, "; ",
"Host: ", Computer
)
| project
TimeGenerated,
Severity,
WhySuspicious,
CreatorAccount,
NewObject,
ObjectClass,
Computer,
IsFromKnownDC,
SubjectUserName,
SubjectDomainName
| order by TimeGenerated desc
Explanation
This query is designed to detect suspicious activity related to the creation of rogue Domain Controllers (DCs) in an Active Directory environment, specifically using a technique known as DCShadow. Here's a simplified explanation of what the query does:
-
Purpose: The query aims to identify instances where a new Domain Controller object (nTDSDSA) is created by a machine that is not a recognized Domain Controller. This is a critical security concern because it could indicate a DCShadow attack, where an attacker registers a rogue DC to manipulate Active Directory data without leaving typical audit trails.
-
Known DCs: It first identifies all known legitimate Domain Controllers by looking at recent events (within the last 3 days) where DCs have requested Kerberos tickets (Event ID 4768).
-
Event Monitoring: The query then monitors for Event ID 5137, which indicates the creation of a Directory Service object. It specifically looks for the creation of objects related to Domain Controllers (nTDSDSA) within the last 15 minutes.
-
Suspicious Activity Detection:
- It checks if the creation event comes from a machine that is not a known DC.
- It flags events where the creator's username does not end with a dollar sign, which is typical for machine accounts, marking it as suspicious.
-
Output: For each suspicious event, the query provides details such as the time of the event, severity (marked as "Critical"), reasons why the activity is suspicious, the account that created the object, the new object details, and the host machine involved.
-
Sorting and Presentation: The results are sorted by the time of the event in descending order, showing the most recent suspicious activities first.
In summary, this query is a security measure to detect unauthorized attempts to create Domain Controller objects, which could indicate a potential security breach using the DCShadow technique.
Details
David Alonso
Released: March 24, 2026
Tables
Keywords
Operators