Netwrix and Stealthbits merge to better secure sensitive data. LEARN MORE


How to detect and mitigate DCShadow attacks

DCShadow enables an attacker (using Mimikatz) to create a fake Active Directory Domain Controller (DC) that can replicate malicious changes to legitimate DCs.

DCShadow attacks are difficult to detect. Because the changes are committed through replication, these changes are not logged to the event log the way other changes would be. The DC is where changes normally originate, but in this case there is no actual DC.

DCShadow attacks are difficult to prevent. The DCShadow attack uses native features of Active Directory (AD), so it is not a vulnerability and cannot be patched.

    Request A Free Trial

    Thank You For Your Request

    A Stealthbits representative will contact you shortly.

    If you have any questions, you can contact our sales department by sending an inquiry to


    Stealthbits’ products provide a multitude of ways to detect and mitigate the DCShadow attack.

    Detect DCShadow Attack

    Detection of DCShadow is possible by looking for the process of registering any system other than a Domain Controller with the required SPNs to perform the attack.


    Domain Controller Impersonation


    Monitor for modification to the SPN values for any computers not in the Domain Controllers Group or OU with values including:

    • Any value starting with GC/
    • The well-known GUID of the DRS service class E3514235–4B06–11D1-AB04–00C04FC2DCD2



    Mitigate DCShadow Attack

    The ability to perform the DCShadow attack requires elevated rights within Active Directory, typically those of a Domain Administrator. The best mitigation is to protect and closely monitor your Domain Admins and other privileged groups. However, it is also possible to perform DCShadow using a least privilege model and therefore permissions on Active Directory should be inspected to ensure no unnecessary users have these elevated rights.


    Active Directory Domain Permissions


    Review the following domain permissions to make sure you approve all authorized users/groups:

    • Add/Remove Replica in Domain (DS-Install-Replica)
    • Manage Replication Topology (DS-Replication-Manage-Topology)
    • Replication Synchronization (DS-Replication-Synchronize)

    As well as these permissions on the Sites object

    • Create all child objects
    • Delete all child objects

    Remove any unnecessary permissions.


    Seeing is believing.

    © 2021 Stealthbits Technologies, Inc.