DCShadow: when empty security logs mean the attack worked
DCShadow registers a fake domain controller and pushes directory changes over replication, bypassing object auditing. You hunt replication metadata, not security events.
Domain controllers trust each other to replicate directory changes. DCShadow abuses that trust by briefly impersonating a domain controller and pushing changes over the replication channel, which leaves your object-level audit logs silent.
How the attack works
With effectively domain-level privilege, the attacker creates server and directory-system-agent objects for a non-DC host in the configuration partition, registering it as a replication source. They then push directory changes, such as added SID history, an access control entry, or a primary group edit, as if they were legitimate DC-to-DC replication. Because the changes arrive over replication rather than through an authenticated modification, no object-modification security event is generated. Other domain controllers accept the changes as normal, the attacker deletes the rogue DC objects, and the injected SID history is later exercised for privileged access with no membership-change event. In ATT&CK terms this is T1207, Rogue Domain Controller, with T1098, Account Manipulation.
Why it works
The technique is specifically designed to evade object-level auditing. The directory-modification events your SIEM relies on are never generated, so a team that searches the security log concludes nothing happened while the injected changes remain active.
How to fix it
The non-obvious key is that you cannot trust the object-level security logs here. Hunt for unexpected directory-system-agent and server objects and replication sourced from non-DC hosts, then scope what actually changed using replication metadata, the originating source, version numbers, and change timestamps, reconciled against a known-good backup. Contain the high-privilege principal able to register a rogue DC, revert the injected SID history and access control entries, and remove the excessive privilege that allowed it.
Practice it
We built this as a GraphLattice Range scenario so responders can rehearse the rogue-replication hunt and the metadata-based forensics.