216.73.217.22

T1207: Rogue Domain Controller

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:09

Essential information

MITRE technique ID
T1207
Confidence
100/100
Revoked
No
Published
16/12/2025 19:38
Modified
27/03/2026 01:09
Author / Source
The MITRE Corporation

Aliases

T1207

Platforms

windows

Description

Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys. Registering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity Mimikatz Guide) This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform [SID-History Injection](https://attack.mitre.org/techniques/T1134/005) and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. (Citation: DCShadow Blog)

Kill chain phases

Kill chainPhase
mitre-attack defense-evasion

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (10)

  • DarkGate uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 01:58 · Modified 21/12/2025 04:30
  • TA-ShadowCricket uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 14:33 · Modified 21/12/2025 14:33
  • UTA0218 uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 04:18 · Modified 21/12/2025 04:18
  • Chinese state actors uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 05:10 · Modified 21/12/2025 05:10
  • UNC1860 uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 06:33 · Modified 21/12/2025 06:33
  • Quad7 botnet operators uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 07:00 · Modified 21/12/2025 07:00
  • StormBamboo uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 06:17 · Modified 21/12/2025 06:17
  • APT-C-09 (Mozambique) uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 06:11 · Modified 21/12/2025 06:11
  • DoNex uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 03:34 · Modified 21/12/2025 03:34
  • Suspected China-based threat actor uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 08:19 · Modified 21/12/2025 08:19

Malware (64)

  • TEMPLELOCK uses
    Family
    Published 20/09/2024 11:10 · Modified 20/09/2024 11:10
  • Impersoni-Fake-Ator uses
    Family
    Published 06/06/2024 07:55 · Modified 06/06/2024 07:55
  • RELOADEXT uses
    Family
    Published 05/08/2024 11:29 · Modified 05/08/2024 11:29
  • VoidLink uses
    Family
    Published 26/03/2026 11:59 · Modified 26/03/2026 11:59
  • UPDTAE uses
    Family
    Published 10/09/2024 08:07 · Modified 10/09/2024 08:07
  • PowHeartBeat uses
    Family
    Published 06/06/2024 07:55 · Modified 06/06/2024 07:55
  • Upm uses
    Family
    Published 27/05/2025 23:59 · Modified 27/05/2025 23:59
  • DoNex uses
    Family
    Published 10/07/2024 09:33 · Modified 10/07/2024 09:33
  • ROTPIPE uses
    Family
    Published 20/09/2024 11:10 · Modified 20/09/2024 11:10
  • FACEFACE uses
    Family
    Published 20/09/2024 11:10 · Modified 20/09/2024 11:10
  • CredentialStealer uses
    Family
    Published 27/05/2025 23:59 · Modified 27/05/2025 23:59
  • TEMPLEPLAY uses
    Family
    Published 20/09/2024 11:10 · Modified 20/09/2024 11:10
  • BABYWIPER uses
    Family
    Published 20/09/2024 11:10 · Modified 20/09/2024 11:10
  • RUDEBIRD uses
    Family
    Published 06/06/2024 07:55 · Modified 06/06/2024 07:55
  • Pemodifier uses
    Family
    Published 27/05/2025 23:59 · Modified 27/05/2025 23:59
  • PocoProxy uses
    Family
    Published 06/06/2024 07:55 · Modified 06/06/2024 07:55
  • TEMPLEDROP uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 06:33 · Modified 21/12/2025 06:33
  • CoreWarrior uses
    Family
    Published 15/10/2024 11:26 · Modified 15/10/2024 11:26
  • DarkRace uses
    Family
    Published 10/07/2024 09:33 · Modified 10/07/2024 09:33
  • LockBit uses
    Family
    Published 06/05/2026 10:26 · Modified 06/05/2026 10:26
  • ShadUser uses
    Family
    Published 27/05/2025 23:59 · Modified 27/05/2025 23:59
  • EAGERBEE uses
    Family
    Published 06/01/2025 21:27 · Modified 06/01/2025 21:27
  • zylogin uses
    Family
    Published 10/09/2024 08:07 · Modified 10/09/2024 08:07
  • IcedID - S0483 uses
    Family
    Published 25/09/2025 09:21 · Modified 25/09/2025 09:21
  • FsyNet uses
    Family
    Published 10/09/2024 08:07 · Modified 10/09/2024 08:07
  • WINTAPIX uses
    Family
    Published 20/09/2024 11:10 · Modified 20/09/2024 11:10
  • NUPAKAGE uses
    Family
    Published 06/06/2024 07:55 · Modified 06/06/2024 07:55
  • POCOSTICK uses
    Family
    Published 05/08/2024 11:29 · Modified 05/08/2024 11:29
  • Wgdrop uses
    Family
    Published 27/05/2025 23:59 · Modified 27/05/2025 23:59
  • GOST
  • MaggieScan uses
    Family
    Published 27/05/2025 23:59 · Modified 27/05/2025 23:59
  • SASHEYAWAY uses
    Family
    Published 20/09/2024 11:10 · Modified 20/09/2024 11:10
  • Zloader uses
    Family
    Published 22/09/2025 19:40 · Modified 22/09/2025 19:40
  • DarkGate - S1111 uses
    Family
    Published 09/12/2024 22:32 · Modified 09/12/2024 22:32
  • Winver.exe uses
    Family
    Published 30/07/2024 16:14 · Modified 30/07/2024 16:14
  • BASEWALK uses
    Family
    Published 20/09/2024 11:10 · Modified 20/09/2024 11:10
  • PhantomNet uses
    Family
    Published 23/07/2025 15:42 · Modified 23/07/2025 15:42
  • Cobalt Strike - S0154 uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:39 · Modified 27/05/2026 21:40
  • OATBOAT uses
    Family
    Published 20/09/2024 11:10 · Modified 20/09/2024 11:10
  • Maggie uses
    Family
    Published 27/05/2025 23:59 · Modified 27/05/2025 23:59
  • MadMxShell uses
    Family
    Published 15/07/2024 14:52 · Modified 15/07/2024 14:52
  • SqlShell uses
    Family
    Published 27/05/2025 23:59 · Modified 27/05/2025 23:59
  • CCoreDoor uses
    Family
    Published 06/06/2024 07:55 · Modified 06/06/2024 07:55
  • rlogin uses
    Family
    Published 10/09/2024 08:07 · Modified 10/09/2024 08:07
  • Latrodectus uses
    Family
    Published 12/06/2026 21:29 · Modified 12/06/2026 21:29
  • SPARKLOAD uses
    Family
    Published 20/09/2024 11:10 · Modified 20/09/2024 11:10
  • MacMa - S1016 uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 06:04 · Modified 21/12/2025 06:04
  • alogin uses
    Family
    Published 10/09/2024 08:07 · Modified 10/09/2024 08:07
  • MacMa
  • Client.exe uses
    Family
    Published 30/07/2024 16:14 · Modified 30/07/2024 16:14
  • UPSTYLE
  • TOFUDRV uses
    Family
    Published 20/09/2024 11:10 · Modified 20/09/2024 11:10
  • axlogin uses
    Family
    Published 10/09/2024 08:07 · Modified 10/09/2024 08:07
  • ROADSWEEP uses
    Family
    Published 20/09/2024 11:10 · Modified 20/09/2024 11:10
  • HAMMERTOSS - S0037 uses
    Family
    Published 10/09/2024 08:07 · Modified 10/09/2024 08:07
  • Sqldoor uses
    Family
    Published 27/05/2025 23:59 · Modified 27/05/2025 23:59
  • Detofin uses
    Family
    Published 27/05/2025 23:59 · Modified 27/05/2025 23:59
  • TEMPLEDOOR uses
    Family
    Published 20/09/2024 11:10 · Modified 20/09/2024 11:10
  • HAMMERTOSS
  • Miner-C - S0133 uses
    Family
    Published 27/05/2025 23:59 · Modified 27/05/2025 23:59
  • WorkersDevBackdoor uses
    Family
    Published 15/07/2024 14:52 · Modified 15/07/2024 14:52
  • VIROGREEN uses
    Family
    Published 20/09/2024 11:10 · Modified 20/09/2024 11:10
  • STAYSHANTE uses
    Family
    Published 20/09/2024 11:10 · Modified 20/09/2024 11:10
  • xlogin uses
    Family
    Published 10/09/2024 08:07 · Modified 10/09/2024 08:07

Reports (11)

Vulnerabilities (CVE) (2)

CVE-2024-3400 KEV
10.0 Critical

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …

Attack vector
Network
Published
12/04/2024
Modified
21/12/2025
CVE-2019-0604 KEV

Microsoft SharePoint fails to check the source markup of an application package. An attacker who successfully exploits the vulnerability could run remote …

Published
03/11/2021
Modified
20/12/2025

Tool (1)

  • Mimikatz uses
    The MITRE Corporation Confidence 100

    [Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of …

    Published 31/05/2017 23:32 · Modified 27/03/2026 01:07