DCShadow Attack Explained - MITRE ATT&CK T1207

Sıla Özeren  By Sıla Özeren  •  August 22, 2023

 

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

The DCShadow attack, categorized as the Rogue Domain Controller technique (T1207) in the MITRE ATT&CK Framework, presents a significant threat to IT environments globally. This method can jeopardize an entire network, providing broad, unauthorized access to domain resources.

This blog delves into the attack flow of the DCShadow attack, which introduces a rogue domain controller to a victim's Active Directory environment. It also offers an in-depth examination of how the attack can be leveraged by Mimikatz's lsadump module, its potential impacts, and detection and mitigation strategies that organizations can implement to safeguard their systems.

kerberoasting-banner-image-edited (1)

Uncover the Attack Paths Targeted by Kerberoasting

Try the interactive experience and identify high-risk routes.

What Is the DCShadow Attack?

A DCShadow is a sophisticated attack technique that compromises the Active Directory environment by introducing a rogue domain controller (DC) into the network to push changes to the Active Directory. Since this uses a native replication technique, security professionals typically cannot detect the changes pushed through AD via event logs, thus bypassing security controls and remaining persistent in the target environment.

Even though this type of attack appears to be used for pushing malicious and unauthorized changes to the Active Directory environment, thereby maintaining persistence or creating a backdoor to AD, adversaries can also use DCShadow for privilege escalation in other trusted domains as administrators.

A typical DCShadow attack consists of six steps. However, this attack technique requires Administrative level rights. Thus, in this explanation, readers should assume that the attacker in the following scenario has already compromised a domain-joint Admin account.

  • Environment Manipulation: The attacker first creates changes in the environment, such as adding new objects or modifying existing ones, and then waits for the changes to be replicated to the legitimate domain controllers.

  • Service Principal Registration: Next, the attacker sets specific service principal names (SPNs) on a machine they intend to use as a rogue DC. SPNs are crucial for Kerberos authentication within the AD environment.

  • Rouge Domain Controller Registration: The attacker inserts a rogue entry within the Configuration Namespace (CN) of the target domain. This bogus entry allows the rogue DC to pose as a legitimate participant in the AD replication process, enabling authentication and communication with other controllers.

  • Triggering the Replication: The attacker triggers replication to a legitimate Domain Controller. Recognizing the rogue DC's pairing in the CN, the legitimate DC reaches out to pull replication data from the rogue entity.

  • Replicating Changes: Unauthorized and potentially malicious modifications are propagated across the AD environment through the replication process.

  • Cleanup: As a final step to avoid detection, the attacker removes the SPNs associated with the rogue DC and the DC entry from the CN. This obfuscation tactic leaves the AD environment compromised and under the attacker's control, capitalizing on AD's inherent replication mechanism to achieve persistence.

Tools and Techniques to Perform a DCShadow Attack 

DCShadow, a feature in Mimikatz's lsadump module (lsadump::dcsync), enables the creation of rogue domain controllers to push changes to Active Directory. Executing a DCShadow attack with Mimikatz involves two primary steps.

Tool: Impacket

Before we go any further, we need to make an assumption that the attacker has already compromised a credential of a domain-joint account with administrative permissions; let's assume the user is called Bob. The reason behind this assumption is that an administrative account allows the adversary to make changes to the environment, such as adding a rogue domain controller and replicating changes from legitimate domain controllers to it. Without administrative access, the attacker would not be able to carry out the DCShadow attack. 

Step 1: Elevating to SYSTEM privileges and making changes to the replicated object

The first step in a DCShadow attack is to elevate privileges. This is achieved by starting the mimidrv service using the commands ‘!+’ and ‘!ProcessToken’. Together, they register and initiate the "mimidrv" service, elevating privileges to SYSTEM level.

PS> .\mimikatz.exe "!+ !ProcessToken"

Subsequently, the adversary configures the rogue domain controller:

mimikatz # lsadump::dcshadow /object:"CN=Alice,OU=Employees,DC=sub,DC=domain,DC=com" /attribute:SidHistory /value:S-5-1-5-21-2049251289-867822404-1193079966

. . .

** Starting server **

 

 > BindString[0]: ncacn_ip_tcp:<LocationOfFakeServer>[ThePortItListensTo]

> RPC bind registered

> RPC Server is waiting!

This command is used to specify the rogue server for a DCShadow attack. The "/object" switch is used to specify the targeted user object, in this case the user “Alice”. The "/attribute" switch is used to specify the attribute that should be modified in the target user object, in this case "SidHistory". Finally, the "/value" switch is used to specify the new value for the specified attribute, in this case "S-5-1-5-21-2049251289-867822404-1193079966".

In the context of a DCShadow attack, this command is used to specify the rogue server and target the user object to modify its SidHistory attribute with the new specified value. The modified attribute can be used to grant the attacker unauthorized access to the target system and sensitive information.

Step 2: Pushing the changes back to a real domain controller

In the second step, the adversary has to launch Mimikatz again as the “Bob” account, which they compromised in the first place. The adversary runs the following command:

mimikatz # lsadump::dcshadow /push

This specific command, lsadump::dcshadow /push, facilitates a DCShadow attack by registering a rogue domain controller (shadowDC) and relaying replication data to it. The aim of this attack is to modify the contents of Active Directory database by using the rogue domain controller. Once the replication data has been committed, the rogue domain controller is unregistered for cleanup purposes.

Once everything is done, the attacker logs out from the compromised account Bob, and login again to gain the updated access token with the modified SID history. 

Detection Methods for the DCShadow Attack

The only definitive way to identify a DCShadow attack is through network monitoring of DRSUAPI Remote Procedure Call (RPC) requests for the DRSUAPI_REPLICA_ADD operation that originate from systems that are not known to be domain controllers. Another method of detecting DCShadow is through analyzing Windows event logs, but this approach only provides signs of the attack and not the exact changes made by the attacker.

In order to mimic a domain controller, DCShadow must make changes in Active Directory,  such as adding a new NTDSDSA object and a global catalog (GC/<host>) servicePrincipalName to a computer object that is not a known domain controller. After the attack is completed, both of these items will be removed. 

To detect a DCShadow attack, closely monitor specific Windows Event IDs. Event IDs 4928 and 4929 pinpoint changes in Active Directory replica source naming contexts. Event ID 5136 reveals allowed connections by the Windows Filtering Platform, and Event ID 5141 signals the deletion of a directory service object. By diligently tracking these events, potential malicious activities associated with DCShadow can be swiftly identified ([1], [2], [3]).

Event ID 4928 - An Active Directory replica source naming context was established.

  • Key Description Fields: Destination DRA, Source DRA, Source Address, Naming Context

Event ID 4929 - An Active Directory replica source naming context was removed.

  • Key Description Fields: Destination DRA, Source DRA, Source Address, Naming Context

Event ID 5136 - The Windows Filtering Platform has allowed a connection. 

  • Key Description Fields: Security ID, Account Name, Account Domain, Logon ID 

Event ID 5141 - A directory service object was deleted.

  • Key Description Fields: Security ID, Account Name, Account Domain, Logon ID 

Mitigation Techniques for the DCShadow Attack

DCShadow is a sophisticated native replication attack that exploits Active Directory (AD) features and privileges to push malicious and unauthorized changes to the AD environment. While it's impossible to completely eliminate the risk of this attack, adopting a multi-layered security strategy is crucial for mitigation. 

Here are some recommendations to help decrease the likelihood of a successful DCShadow attack:

Mitigation Technique 1: Implementing firewall policies

Use host-based firewalls to limit lateral movement. Ensure that remote management protocols such as RDP are only accessible from a small set of approved and monitored systems.

Mitigation Technique 2: Limit user privileges

It is essential to limit the number of users with administrative privileges across security boundaries. This helps to minimize the extent to which an attacker can escalate their privileges.

Mitigation Technique 3: Control access to computer objects

Constrain the number of users with permission to add computer objects to the Active Directory. This helps to prevent unauthorized changes to the AD infrastructure.

Mitigation Technique 4: Reduce delegated administrative permissions

Adequately govern built-in privileged groups and delegated administrative permissions to reduce the risk of abuse.

Mitigation Technique 5: Maintain good Active Directory hygiene

Regularly removing unused sites and computer objects helps maintain good Active Directory hygiene and reduces the attack surface.

By following these mitigation strategies, organizations can better protect themselves against DCShadow attacks and other types of advanced persistent threats.

References

[1] “5136(S): A directory service object was modified,” Microsoft. [Online]. Available: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136. [Accessed: Aug. 21, 2023]

[2] “Detecting Lateral Movement through Tracking Event Logs

.” [Online]. Available: https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf. [Accessed: Aug. 21, 2023]

[3] “Rogue Domain Controller.” Available: https://attack.mitre.org/techniques/T1207/. [Accessed: Aug. 21, 2023]

 

  red-report-mockup-small  

The Red Report 2023
The 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD NOW!

 
#Article #Active Directory

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD