drop dc event log + replication state · detect rogue replication writes
correlates nTDSDSA / DRS SPN registration · unregistered replication partners · sensitive attribute replication
heuristic screener · replication metadata format varies — partner correlation is indicative only · not definitive proof of dcshadow