In this post, we are going to discuss the most dynamic attack on AD, named as DC Shadow attack for Domain Persistence. It is part of Persistence, which creates a rogue Domain controller in the network. This attack is an actual threat because of This attack leverages another dynamic attack, such as  DCSync Attack and Golden Ticket Attack.

DCShadow Attack

Dcshadow is a feature in Mimikatz that manipulates Active Directory (AD) data. Including objects and schemas, by registering and replicating the behaviour of a Domain Controller (DC). It simulates the behaviour of a Domain Controller (using protocols like RPC used only by DC) to inject its data, bypassing most of the common security controls and including your SIEM. DCShadow Attack shares some similarities with the DCSync attack (already present in the lsadump module of mimikatz)

It is a post-exploitation attack (also called a domination attack) because it requires domain admin (or enterprise admin) privileges

Description of the attack

The attacks are done using the following steps:

• registering the “DC” by creating 2 objects in the CN=Configuration partition and altering the SPN of the computer used.
• Pushing the data (triggered using DrsReplicaAdd, KCC or other internal AD events)
• Removing the object previously created to demote the DC

Walkthrough

Identifying the Compromised User

Using the compromised user account, we identify the identity of the logon user “Yashika” and notice that it is a member of the Domain User group.

net user yashika /Domain

Setting Up Mimikatz for the DC Shadow Attack

To perform the DC SHADOW attack. You need to download and install Mimikatz on the host machine. Run it as an administrator in order to execute “!+” and “!processtoken” commands. This will register and start mimidrv service and try to elevate for privilege token, thus it provides privilege to call kernel-level functions via a user-mode application.

!+
!processtoken
token::whoami

Thus with the help of “token::whoami” we can enumerate the current identity. As you can observe that it has shown “NT Authority/System” privilege.

Executing the DC Shadow Attack

Now execute the following command, which will mimic a bogus domain controller in the network and try to add user Yashika to the domain admin group.

lsadump::dcshadow /object:yashika /attribute:primaryGroupID /value:512

Open one more mimikatz in a new terminal and execute the following command. This will try to push a bogus domain controller into a legitimate.

lsadump::dcshadow /push

So, after executing the above-mentioned command. We checked the identity for user Yashika again and noticed that this time, it became a member of the domain admin group.

Why DC Shadow is a Powerful Attack

net user yashika /Domain

DC Shadow is considered a dynamic attack. If you add a user into the PrimaryGroupID object, it is not easy for an administrator to remove that user from the domain admin group.

This attack also becomes a ladder for carrying out other attacks, like the DCsync attack. As we discussed earlier, if a host is a member of a privileged group. Such as a domain administrator or enterprise, an intruder can imitate a domain controller with dcsync attacks. He can request user NTLM hashes from other domain controllers on the network. Read more about it here.

lsadump::dcsync /domain:ignite.local /user:krbtgt

Once the intruder is able to get hashes of the KDC server, further, he can carry out the Golden Ticket attack, which reads from here, therefore, we call DC Shadow the most dynamic attack on AD.

Reference: https://www.dcshadow.com/

Related posts:

Domain Persistence: Golden Certificate Attack Domain Persistence: Silver Ticket Attack