Why this module exists. DCShadow is the textbook example of “stealth persistence”. An attacker with sufficient privileges does not need to keep dropping files, scheduling tasks, or modifying registry keys — they push the change into the directory itself via the replication protocol, and the change is now part of the canonical AD state. Defender tooling that audits “modifications via LDAP” misses it. This module is the practitioner-level walkthrough of how it works and how to catch it.
What DCShadow actually does
AD replication works between DCs over the Directory Replication Service (DRS) protocol. When DC1 has a change DC2 has not seen, DC2 pulls the change via DRS. The change is applied locally and audited as a replication event — not as a directory modification. DCShadow exploits this by making the attacker’s machine briefly act as if it were a DC: it registers an SPN, accepts a single replication pull from a real DC, pushes the change, and deregisters. The real DC applies the change and propagates it onward — believing it came from a legitimate replication partner.
Get a VAPT scoping call
Senior practitioner-led VAPT — not a checklist run by juniors. CVSS-scored findings, free retest, attestation letter. India's SMBs and SaaS teams.