In our earlier Protecting Against Active Directory DCSync Attacks blog post, we have seen how attackers can replicate permissions and completely control Active Directory (AD) infrastructure using DCSync attacks. Another devastating technique that attackers explore against AD is the DCShadow attack. It is a method of manipulating AD data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a legitimate Domain Controller (DC).

A DCShadow attack allows an attacker with domain or enterprise admin privileges to create rogue DC in the networks . Once registered, a rogue DC is used to inject domain objects (such as accounts, access control lists, schemas, credentials, or access keys) and replicate changes into AD infrastructure.

DCShadow attack shares similarities with the DCSync attack, which is already present in the lsadump module of an open-source tool Mimikatz. A post-exploitation attack requires domain admin or enterprise admin privileges on an endpoint. The following attack flow was demonstrated with detailed steps at the Bluehat IL 2018 conference by Vincent LE TOUX and Benjamin Delpy.

Attackers can perform a DCShadow attack by installing Mimikatz on a compromised Windows endpoint and starting the mimidrv service. To play the role of fake Domain Controller, an attacker can execute the following commands to register and start a service with appropriate privileges.

Let us take one scenario and see how an attacker attempts a persistence attack by modifying the primaryGroupID attribute. An attacker can run the lsadump::dcshadow command to modify the value of primaryGroupID to 512.

The following command can make domain standard users be a member of the domain admin group.

First, let us verify the primary group ID value before pushing AD data. As shown in the image below, we can use the net group command to verify and confirm that the user POC User5 is not part of the Admin group.

We will replicate the changes from the rogue domain controller to the legitimate one by executing the following command.

Let us verify again net group command output. As you can see, the same user POC User5 will be part of the Domain Administrator group.

It is just as simple as shown above. Once an endpoint is a member of a domain administrator or privileged group, it gets higher privileges in the domain and can compromise the entire domain.

TrickBot is an example of a modular malware that used Mimikatz’s lsadump module to collect valuable information and carry out attacks, such as DCSync, DCShadow, and the Kerberos Golden Ticket compromise.

The DCShadow technique can avoid detections and bypass SIEM logging mechanisms since changes from a rogue DC are not captured. The technique changes or deletes replication and other associated metadata to obstruct forensic analysis. The SentinelOne Singularity™ Identity solution detects DCShadow attacks targeting AD and identifies suspicious user behaviors. The solution also triggers high-fidelity alerts and reports on rogue Domain Controllers that can pose a serious risk to the organization’s domain information.

Security administrators can examine what real or rogue DC is as a mitigation strategy. Delete the computer object that is not a genuine Domain Controller. It is also important to verify the presence of computer objects in the Domain Controller OU and nTDSDSA objects in the configuration partition of the AD.

The following investigation steps can also help security administrators to mitigate DCShadow attacks.

Attackers can utilize the DCShadow technique and perform more advanced attacks to establish backdoors for persistence. The organization must implement continuous monitoring solutions, regularly review system activities such as monitoring AD object creation/replication and alert the security team to take necessary mitigations.

For more information, please visit Singularity™ Identity.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Defeat every attack, at every stage of the threat lifecycle with SentinelOne

Book a demo and see the world’s most advanced cybersecurity platform in action.

SentinelLabs: Threat Intel & Malware Analysis

We are hunters, reversers, exploit developers, & tinkerers shedding light on the vast world of malware, exploits, APTs, & cybercrime across all platforms.

MITRE Engenuity ATT&CK Evaluation Results

SentinelOne leads in the latest Evaluation with 100% prevention. Leading analytic coverage. Leading visibility. Zero detection delays.

Keep up to date with our weekly digest of articles.

Thanks! Keep an eye out for new content!

444 Castro Street Suite 400 Mountain View, CA 94041