# Attack Technique 5: DCShadow Attack ## **DC Shadow Attack: Overview and Mitigation Strategies** *** ## **Introduction** A **DC Shadow attack** is a highly sophisticated method of compromising an **Active Directory (AD)** environment. By introducing a **rogue domain controller (DC)** into the network, attackers can manipulate and replicate changes within the AD infrastructure, effectively taking control of critical directory services. *** ## **Attack Overview** 1. **Exploited Protocol**: Kerberos Authentication (Windows Networks) 2. **Targeted Account**: Domain Administrator or similar privileged accounts 3. **Primary Goal**: Unauthorized modification and replication of AD objects for persistent control over the network. *** ## **Attack Steps** 1. **Create/Modify AD Objects**:\ Attackers modify objects such as **user accounts, groups, or permissions**. 2. **Replicate Changes to Legitimate DCs**:\ Changes made by the rogue DC are replicated to other legitimate DCs. 3. **Register SPNs for Rogue DC**:\ The attacker registers Service Principal Names (SPNs) to the rogue DC for authentication. 4. **Register Rogue DC in AD**:\ The rogue DC is temporarily registered within the AD namespace. 5. **Push Replication Data to Rogue DC**:\ The rogue DC retrieves and replicates sensitive information. 6. **Delete SPNs and Rogue DC**:\ To cover tracks, the rogue DC and associated SPNs are deleted. *** ## **Impact** * **Persistence**: Attackers gain long-term access to modify or create AD objects without detection. * **Control**: Changes made to AD are replicated across legitimate domain controllers. * **Stealth**: Deletion of rogue DCs and SPNs makes detection difficult. *** ## **Tools and Techniques for DC Shadow Attacks** ### **Tool 1: Mimikatz** **Mimikatz** is a post-exploitation tool often used for credential dumping and ticket manipulation, including the DC Shadow attack. **Step 1: Elevating Privileges and Making Changes** 1. **Initialize Mimidrv Service**:\ Gain **SYSTEM privileges** to operate as a rogue DC.\ **Command**: ```bash .\mimikatz.exe "!+ !ProcessToken" ``` 2. **Modify Target Object**:\ Modify the **SidHistory** attribute of a user object (e.g., Alice).\ **Command**: ```bash mimikatz # lsadump::dcshadow /object:"CN=Alice,OU=Employees,DC=sub,DC=domain,DC=com" /attribute:SidHistory /value:S-5-1-5-21-2049251289-867822404-1193079966 ``` **Step 2: Push Changes to Legitimate DCs** 1. **Push Replication Data**:\ Register the rogue DC and push changes to legitimate DCs.\ **Command**: ```bash mimikatz # lsadump::dcshadow /push ``` 2. **Unregister Rogue DC**:\ After modifications, unregister the rogue DC to avoid detection. *** ## **Detection Methods for DC Shadow Attacks** ### **1. Network Monitoring** Monitor **DRSUAPI Remote Procedure Calls (RPC)**, specifically the **DRSUAPI\_REPLICA\_ADD operation**. If requests originate from non-DC systems, it indicates a potential rogue DC. ### **2. Event Log Analysis** Key **Windows Event IDs** to monitor include: * **Event ID 5136**:\ Indicates changes to directory service objects.\ **Key Fields**: `Security ID`, `Account Name`, `Account Domain`, `Logon ID`. * **Event ID 5141**:\ Indicates the deletion of directory service objects.\ **Key Fields**: `Security ID`, `Account Name`, `Account Domain`, `Logon ID`. ### **3. Active Directory Monitoring** Monitor changes to AD objects, including: * **NTDSDSA objects**: These represent the rogue DC. * **SPN registrations**: Look for unauthorized SPN registrations (e.g., `GC/`). Regular monitoring of these objects can reveal suspicious activities before they are removed. *** ## **Mitigation Techniques for DC Shadow Attacks** ### **1. Implement Firewall Policies** * **Host-Based Firewalls**: Limit lateral movement by restricting unauthorized network access. * **Remote Protocol Restrictions**: Allow **RDP** and other remote management protocols only from trusted sources. ### **2. Limit User Privileges** * **Minimize Privileged Accounts**: Restrict the number of accounts with administrative privileges across security boundaries. ### **3. Control Access to Computer Objects** * **Restrict Object Creation**: Limit permissions for creating new computer objects in AD to prevent unauthorized domain controllers. ### **4. Reduce Delegated Administrative Permissions** * **Privileged Group Governance**: Ensure built-in groups (e.g., Domain Admins) are well-governed, and delegate permissions minimally. ### **5. Maintain Active Directory Hygiene** * **Clean Up Unused Objects**: Regularly remove unused computer objects, sites, and NTDSDSA objects. * **Audit SPN Changes**: Regular audits of SPN registrations help identify rogue entries. ### **6. Leverage Monitoring Solutions** * Use **SIEM (Security Information and Event Management)** solutions to aggregate and analyze logs for early detection. *** ## **Conclusion** A **DC Shadow attack** is a potent method of compromising an Active Directory environment, allowing attackers to persistently and stealthily control directory objects. By introducing a rogue domain controller, adversaries can replicate unauthorized changes to legitimate DCs, bypassing traditional detection mechanisms. To defend against this advanced threat, organizations must adopt a multi-layered security approach that includes **privilege management**, **network monitoring**, and **continuous auditing**. By implementing robust mitigation techniques and maintaining strong AD hygiene, organizations can significantly reduce the risks associated with DC Shadow attacks and protect their critical infrastructure.