Detection of rogue Domain Controller registration and Active Directory replication abuse by correlating: (1) creation/modification of nTDSDSA and server objects in the Configuration partition, (2) unexpected usage of Directory Replication Service SPNs (GC/ or E3514235-4B06-11D1-AB04-00C04FC2DCD2), (3) replication RPC calls (DrsAddEntry, DrsReplicaAdd, GetNCChanges) originating from non-DC hosts, and (4) Kerberos authentication by non-DC machines using DRS-related SPNs. These events in combination, especially from hosts outside the Domain Controllers OU, may indicate DCShadow or rogue DC activity.
| Data Component | Name | Channel |
|---|---|---|
| Active Directory Object Creation (DC0087) | WinEventLog:Security | EventCode=4928 |
| Active Directory Credential Request (DC0084) | WinEventLog:Security | EventCode=4929 |
| Active Directory Object Access (DC0071) | WinEventLog:Security | EventCode=4662 |
| Active Directory Object Modification (DC0066) | m365:dirsync | Replication cookie changes involving Configuration partition with new server/nTDSDSA objects. |
| Network Traffic Content (DC0085) | NSM:Flow | DrsAddEntry, DrsReplicaAdd, GetNCChanges calls between non-DC and DCs. |
| Field | Description |
|---|---|
| TimeWindow | Window (seconds) between nTDSDSA object creation and subsequent replication traffic from same host (default 300s). |
| AllowedReplicationPartners | List of legitimate DCs authorized for replication to reduce false positives. |
| SuspiciousSPNs | SPNs indicating replication service usage (GC/, GUID E3514235-4B06-11D1-AB04-00C04FC2DCD2). |
| NonDCObjectCreationAlert | Trigger alerts only when AD object creation is by accounts not in Domain Admins or Enterprise Admins groups. |