In this blog in the IT security under attack series, we will learn about an advanced Active Directory (AD) domain controller (DC) attack to obtain persistence in AD environments.
Dubbed DCShadow, this is a late-stage kill chain attack that allows a threat actor with admin (domain or enterprise admin) credentials to leverage the replication mechanism in AD to register a rogue domain controller in order to inject backdoor changes to an AD domain. With that rogue DC, the attacker can manipulate AD data, including objects, and schemas.
Description of the attack:
DCShadow is a command within the scripting tool, popularly known as mimikatz. DCShadow is similar to it’s older brother, the DCSync attack, which leverages the replication privileges of the members of the Domain Admins group to request a domain controller for data replication changes, including user credentials. More details on the DCsync attack are available here.
One of the main limitations in a DCSync attack is that it’s impossible for the attacker to inject new changes to the objects in the targeted AD domain. But, the attacker can, at any time, request the password hashes of an admin user via replication, and the hashes can then be used in pass-the-hash attacks, or even be cracked offline. Once the hashes are obtained, they can be used to login as the admin user, and manipulate objects on the AD domain. However, this attack strategy involves many steps, and introduces more chances for detection.
With DCShadow, attackers no longer have to replicate data, but can register new domain controllers in the targeted infrastructure to inject backdoor changes in AD objects, or alter existing ones by replacing the attributes’ values.
Working of the DCShadow attack:
Once a threat actor has acquired access to an account with domain replication rights, the attacker can utilize replication protocols to mimic a domain controller.
- Using the DCShadow command the attacker will register the computer, such as a workstation, it is run from as a DC. Now AD thinks this workstation is a domain controller, and it is trusted to replicate changes.
- Any backdoor change, such as SIDHistory, passwords, account attribute values, group membership, can be injected by the attacker and submitted for replication.
- Replication is triggered by DCShadow, the change is replicated, and then committed by a legitimate Domain Controller.
Detecting DCShadow attack using native tools:
Mimikatz is a widely used tool for launching the DCShadow attack, but it does not mean there aren’t other ways:
- A malicious end user could download Remote Server Administration Tools (RSAT) in an attempt to promote a server to a domain controller (Event ID 29223).
- Apart from the admin groups in AD, groups in other platforms, such as the Exchange Windows Permissions group that can also be used to manipulate permissions on the domain, thereby leading to the attack.
The only way to detect these malicious security changes is to analyze the log data stored in Windows Event Viewer.
However, any backdoor change made to your AD objects by DCShadow will not be captured by the event logs. Detecting DCShadow attacks by tracking the changes injected into your AD objects is not an option.
There are a few promising indicators of compromise that can come in handy for detecting the DCShadow attack on your AD infrastructure:
- SPN changes: Two service principal name (SPN) values, the Global catalog SPN and Directory Service Replication SPN, will be added to the computer that is temporarily promoted as the rogue domain controller, and that is used to execute the DCShadow attack. Detecting the SPN changes can help you spot the rogue workstation that is disguised as the DC..
- Changes to the domain configuration namespace: Along with the SPN values, the DCShadow attack also creates a DC inside of the Configuration Namespace of the domain, more specifically within the CN=Sites,CN=Default-first-site-name,CN=Servers,CN=Rogue DC location.
- After the backdoor change is replicated, it will immediately delete the newly created rogue DC to cover any tracks.
- Replication between DCs: It is also possible to monitor replication between DCs to detect DCShadow. However, replication events in AD are large in volume, and parsing through them to detect sensitive changes is time-consuming.
- Event ID 4929 can be a useful indicator, as it will identify that a source naming context has been removed, and it will point to the rogue DC as the source.
All of these events must be spotted at the right time, and correlated with each other to unmask a potential DCShadow attack attempt.
Sometimes, detecting a security event is not sufficient. We must have a real-time alert mechanism, and a mitigation action in position to counter any unauthorized security changes.
Want to learn how to build a detection strategy? Visit our IT security under attack page, watch live simulations of widely used AD attack techniques like DCShadow, and build a complete defense strategy with ManageEngine Log360.