DCShadow

DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a Domain Controller (DC). Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.

This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform SID-History Injection and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence.

The attacks is done using the following steps:

  • registering the "DC" by creating 2 objects in the CN=Configuration partition and altering the SPN of the computer used.

  • Pushing the data (triggered using DrsReplicaAdd, KCC or other internal AD events)

  • Removing the object previously created to demote the DC

It is a post exploitation attack (also called domination attack) because it requires domain admin (or enterprise admin) privileges (hence you need enough privileges to create a rogue Domain Controller and push changes to the DC Active Directory objects.)

To perform the attack you need 2 mimikatz instances. One of the will start the RPC servers with SYSTEM privileges (you have to indicate here the changes you want to perform), and the other instance will be used to push the values. So download the fresh copy of Mimikatz and transfer to the compromised workstation. Open the CMD with with system privileges. Use !+ to register service and start with system privileges. Then use !processtoken to steal SYSTEM token from service running to fake Domain Controller.

In this case we are changing the user 's privileges from Domain User to Domain Admin. Lets change the primaryGroupID of victim to 521 (Domain Admin)

mimikatz1 (RPC servers)
!+
!processtoken
lsadump::dcshadow /object:victim /attribute:primaryGroupID /value=512

Open one more CMD with Domain Admin privileges. And type below command to push changes to Domain Controller.

mimikatz2 (push) - Needs DA or similar
lsadump::dcshadow /push

congratz

Reference for more details as usual :

Last updated