What is DCShadow?

What is DCShadow?

Threat (Persistence)

DCShadow enables an attacker (using Mimikatz) to create a fake Active Directory Domain Controller (DC) that can replicate malicious changes to legitimate DCs.

How the DCShadow Attack Works

The following is a summarization of how the attack works:

  1. An attacker obtains Domain Admin rights and wants to make changes that will not be detected to create persistence.
  2. Using DCShadow (a feature of Mimikatz) the attacker will register the computer it is run from (such as a workstation) as a Domain Controller in Active Directory by making changes to the AD’s Configuration schema and the workstation’s SPN values. Now AD thinks this workstation is a Domain Controller and it is trusted to replicate changes.
  3. A change is crafted by the attacker. The workstation makes this change available to a legitimate Domain Controller through replication.
  4. Replication is triggered by DCShadow and the change is replicated and then committed by a legitimate Domain Controller

Important Notes about DCShadow:

  • Because the changes are committed through replication, these changes are not logged to the event log how other changes would be. That is normally done on the Domain Controller where the changes originated, but in this case there is no actual DC where the changes originated from.
    • This makes it difficult to detect
  • The DCShadow attack uses native features of Active Directory, so it is not a vulnerability and cannot be patched.
    • This makes it difficult to prevent

Video Tutorial

Watch this brief video of a DCShadow attack in action:

Potential Solutions and Mitigating Controls for DCShadow

While the changes made using DCShadow will not show up in your Domain Controller security logs because they are committed through replication, there are pieces of information within the event logs that can be indicators of DCShadow in use.

Using Event ID 4742, you can look for the addition of two particular Service Principal Names (SPNs) to a computer which is not a Domain Controller, followed by the removal of those SPNs.

Using Event IDs 5137 and 5141, you can detect the creation and subsequent deletion of a Domain Controller (the rogue DC created by DCShadow) inside the Configuration Namespace within the Sites container in AD.

Using Event ID 4929 (a replication event) can also be a useful indicator of DCShadow in use if you can determine that the source of this event is a computer which is not recognized as a legitimate Domain Controller.

Addtional Resources

DCShadow Resources:

Related Attacks & Concepts:

Solutions: