By obtaining the password hash for the most powerful service account in Active Directory – the KRBTGT account – an attacker is able to compromise every account within Active Directory, giving them unlimited and virtually undetectable access to any system connected to AD.
DCShadow is a technique in which an attacker abuses compromised replication permissions to mimic a domain controller and make malicious changes to Active Directory. It is a particularly stealthy technique, as the methods it uses do not create logs that detail the changes made. Thus, it can be difficult to discover and remove the changes made by an adversary. Threat Summary Target: Active Directory Tools: mimikatz ATT&CK® Tactic: Defense Evasion ATT&CK Technique: T1207 Difficulty Detection: Medium Mitigation: Medium Response: Hard
Modifying the Access Control List (ACL) of the AdminSDHolder container in Active Directory enables an attacker to achieve and maintain persistence in an already compromised domain, even if an administrator finds and removes the attacker’s permission on a protected object the AdminSDHolder controls.
By stealing the Ntds.dit file – Active Directory’s database – an attacker can extract a copy of every user’s password hash and subsequently act as any user in the domain.