This playbook provides systematic remediation steps to investigate incidents suspected to be caused by Mimikatz DCShadow. DCShadow is a feature in Mimikatz that simulates the behavior of a Domain Controller (a server controlling Active Directory) to inject its own data, bypassing most of the standard security controls (including SIEMs).

Mimikatz DCShadow helps the attacker establish a rogue Domain Controller (DC) that becomes part of the Active Directory (AD). Once registered, it can act as a legitimate DC and cause damage.