# Attack Technique 5: DCShadow Attack

## **DC Shadow Attack: Overview and Mitigation Strategies**

***

## **Introduction**

A **DC Shadow attack** is a highly sophisticated method of compromising an **Active Directory (AD)** environment. By introducing a **rogue domain controller (DC)** into the network, attackers can manipulate and replicate changes within the AD infrastructure, effectively taking control of critical directory services.

***

## **Attack Overview**

1. **Exploited Protocol**: Kerberos Authentication (Windows Networks)
2. **Targeted Account**: Domain Administrator or similar privileged accounts
3. **Primary Goal**: Unauthorized modification and replication of AD objects for persistent control over the network.

***

## **Attack Steps**

1. **Create/Modify AD Objects**:\
   Attackers modify objects such as **user accounts, groups, or permissions**.
2. **Replicate Changes to Legitimate DCs**:\
   Changes made by the rogue DC are replicated to other legitimate DCs.
3. **Register SPNs for Rogue DC**:\
   The attacker registers Service Principal Names (SPNs) to the rogue DC for authentication.
4. **Register Rogue DC in AD**:\
   The rogue DC is temporarily registered within the AD namespace.
5. **Push Replication Data to Rogue DC**:\
   The rogue DC retrieves and replicates sensitive information.
6. **Delete SPNs and Rogue DC**:\
   To cover tracks, the rogue DC and associated SPNs are deleted.

***

## **Impact**

* **Persistence**: Attackers gain long-term access to modify or create AD objects without detection.
* **Control**: Changes made to AD are replicated across legitimate domain controllers.
* **Stealth**: Deletion of rogue DCs and SPNs makes detection difficult.

***

## **Tools and Techniques for DC Shadow Attacks**

### **Tool 1: Mimikatz**

**Mimikatz** is a post-exploitation tool often used for credential dumping and ticket manipulation, including the DC Shadow attack.

**Step 1: Elevating Privileges and Making Changes**

1. **Initialize Mimidrv Service**:\
   Gain **SYSTEM privileges** to operate as a rogue DC.\
   **Command**:

   ```bash
   .\mimikatz.exe "!+ !ProcessToken"
   ```
2. **Modify Target Object**:\
   Modify the **SidHistory** attribute of a user object (e.g., Alice).\
   **Command**:

   ```bash
   mimikatz # lsadump::dcshadow /object:"CN=Alice,OU=Employees,DC=sub,DC=domain,DC=com" /attribute:SidHistory /value:S-5-1-5-21-2049251289-867822404-1193079966
   ```

**Step 2: Push Changes to Legitimate DCs**

1. **Push Replication Data**:\
   Register the rogue DC and push changes to legitimate DCs.\
   **Command**:

   ```bash
   mimikatz # lsadump::dcshadow /push
   ```
2. **Unregister Rogue DC**:\
   After modifications, unregister the rogue DC to avoid detection.

***

## **Detection Methods for DC Shadow Attacks**

### **1. Network Monitoring**

Monitor **DRSUAPI Remote Procedure Calls (RPC)**, specifically the **DRSUAPI\_REPLICA\_ADD operation**. If requests originate from non-DC systems, it indicates a potential rogue DC.

### **2. Event Log Analysis**

Key **Windows Event IDs** to monitor include:

* **Event ID 5136**:\
  Indicates changes to directory service objects.\
  **Key Fields**: `Security ID`, `Account Name`, `Account Domain`, `Logon ID`.
* **Event ID 5141**:\
  Indicates the deletion of directory service objects.\
  **Key Fields**: `Security ID`, `Account Name`, `Account Domain`, `Logon ID`.

### **3. Active Directory Monitoring**

Monitor changes to AD objects, including:

* **NTDSDSA objects**: These represent the rogue DC.
* **SPN registrations**: Look for unauthorized SPN registrations (e.g., `GC/<host>`).

Regular monitoring of these objects can reveal suspicious activities before they are removed.

***

## **Mitigation Techniques for DC Shadow Attacks**

### **1. Implement Firewall Policies**

* **Host-Based Firewalls**: Limit lateral movement by restricting unauthorized network access.
* **Remote Protocol Restrictions**: Allow **RDP** and other remote management protocols only from trusted sources.

### **2. Limit User Privileges**

* **Minimize Privileged Accounts**: Restrict the number of accounts with administrative privileges across security boundaries.

### **3. Control Access to Computer Objects**

* **Restrict Object Creation**: Limit permissions for creating new computer objects in AD to prevent unauthorized domain controllers.

### **4. Reduce Delegated Administrative Permissions**

* **Privileged Group Governance**: Ensure built-in groups (e.g., Domain Admins) are well-governed, and delegate permissions minimally.

### **5. Maintain Active Directory Hygiene**

* **Clean Up Unused Objects**: Regularly remove unused computer objects, sites, and NTDSDSA objects.
* **Audit SPN Changes**: Regular audits of SPN registrations help identify rogue entries.

### **6. Leverage Monitoring Solutions**

* Use **SIEM (Security Information and Event Management)** solutions to aggregate and analyze logs for early detection.

***

## **Conclusion**

A **DC Shadow attack** is a potent method of compromising an Active Directory environment, allowing attackers to persistently and stealthily control directory objects. By introducing a rogue domain controller, adversaries can replicate unauthorized changes to legitimate DCs, bypassing traditional detection mechanisms.

To defend against this advanced threat, organizations must adopt a multi-layered security approach that includes **privilege management**, **network monitoring**, and **continuous auditing**. By implementing robust mitigation techniques and maintaining strong AD hygiene, organizations can significantly reduce the risks associated with DC Shadow attacks and protect their critical infrastructure.

<figure><img src="/files/HGmkpn2trx6XS7rD8eq8" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://karim-ashraf.gitbook.io/karim_ashraf_space/writeups/the-complete-active-directory-security-handbook/attack-technique-5-dcshadow-attack.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.