{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dcshadow/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Active Directory","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["dcshadow","active_directory","acl","privilege_escalation","persistence"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThe DCShadow attack is a technique where an attacker registers a rogue domain controller (DC) with a legitimate Active Directory domain, and then uses this rogue DC to inject malicious changes into the AD database.  This allows attackers to make persistent modifications to the Active Directory environment without being detected through traditional event logs that monitor changes on legitimate DCs. This brief focuses on detecting the initial ACL modifications necessary to prepare for a DCShadow attack. Specifically, it identifies modifications to the domainDNS object\u0026rsquo;s ACL, granting the attacker the rights needed to replicate changes to the AD database.  This activity is often a precursor to more overt malicious activity within the Active Directory environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the target network, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to a level where they can make changes to Active Directory ACLs.\u003c/li\u003e\n\u003cli\u003eUsing tools like PowerShell or custom scripts, the attacker modifies the ACL of the domainDNS object in Active Directory (Event ID 5136).\u003c/li\u003e\n\u003cli\u003eThe attacker grants specific extended rights, including \u0026ldquo;Add/Remove Replica In Domain\u0026rdquo;, \u0026ldquo;Manage Replication Topology\u0026rdquo;, and \u0026ldquo;Replication Synchronization\u0026rdquo;, to a chosen account or group. This can be achieved by targeting the GUIDs \u0026ldquo;9923a32a-3607-11d2-b9be-0000f87a36b2\u0026rdquo;, \u0026ldquo;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2\u0026rdquo;, and \u0026ldquo;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker registers a rogue domain controller with the Active Directory domain.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the rogue DC to replicate malicious changes into the Active Directory database, such as modifying user attributes or group memberships.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use these modifications to achieve their objectives, such as gaining unauthorized access to sensitive data or systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful DCShadow attacks can grant attackers persistent and stealthy control over an Active Directory environment.  This can lead to widespread data breaches, account compromise, and disruption of critical business services. The attacker gains the ability to manipulate identities and permissions, bypassing normal security controls. While the source does not specify a number of victims, organizations relying on Active Directory for authentication and authorization are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and monitor Windows Event Log Security, specifically Event ID 5136, to detect modifications to Active Directory objects as described in the Lantern article linked in the references.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect DCShadow Privilege ACL Addition\u003c/code\u003e to your SIEM and tune it for your environment based on expected legitimate ACL changes.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u003ccode\u003esrc_user\u003c/code\u003e and \u003ccode\u003euser\u003c/code\u003e fields to identify the source and target of the ACL modifications.\u003c/li\u003e\n\u003cli\u003eReview and audit Active Directory ACLs on critical objects like the domainDNS to ensure they are configured according to the principle of least privilege.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for privileged accounts to prevent attackers from easily gaining the necessary credentials to perform DCShadow attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T17:58:27Z","date_published":"2026-05-28T17:58:27Z","id":"https://feed.craftedsignal.io/briefs/2026-05-dcshadow-privilege-acl-addition/","summary":"This detection identifies an Active Directory access-control list (ACL) modification event, which applies the minimum required extended rights to perform the DCShadow attack by modifying permissions on the domainDNS object.","title":"Windows AD DCShadow Privilege Escalation via ACL Modification","url":"https://feed.craftedsignal.io/briefs/2026-05-dcshadow-privilege-acl-addition/"}],"language":"en","title":"CraftedSignal Threat Feed — Dcshadow","version":"https://jsonfeed.org/version/1.1"}