The change that rewrites the directory itself (DCShadow)
DCShadow lets an attacker register a rogue domain controller and push malicious changes straight into Active Directory, bypassing the logs that watch normal changes. Here is the stealth-persistence trick, and the fix.
The quietest way to backdoor a directory is to convince it the change came from one of its own domain controllers.
What it is
DCShadow abuses Active Directory replication. An attacker with high privilege temporarily registers a rogue domain controller and uses replication to inject changes, adding a SID History, altering ACLs, planting a backdoor, directly into AD, as if a real DC made them. Because the changes arrive through replication rather than normal LDAP writes, they sidestep much standard change auditing. This is T1207 (rogue domain controller) with T1098.
Why it works
It mimics legitimate domain-controller replication, so the malicious changes look authentic, and monitoring that watches LDAP writes often never sees them. It is stealthy persistence at the directory level.
How to detect it
Look for unexpected replication sources, short-lived server or DC object registrations, and replication metadata changes from non-DC hosts; monitor for new nTDSDSA objects and unusual replication.
The fix that holds
Hold Tier 0 tightly, because DCShadow needs domain-level rights, monitor for rogue domain-controller registration and replication from unexpected sources, and alert on directory changes that bypass normal write paths. If you see it, treat the domain as compromised.
Practice it
We built a DCShadow scenario in GraphLattice Range so teams learn to watch replication itself, not just directory writes.