DCShadow: detecting a rogue domain controller replicating malicious changes to your Active Directory
Earlier this year, during Microsoft’s invite-only premier security conference BlueHat in Israel, the creator behind the popular mimikatz tool, Benjamin Delpy, along with Vincent Le Toux announced a new post-exploitation dominance method for Active Directory which they call DCShadow.
I could be anything, so I choose to be a Domain Controller
A DCShadow attack on Active Directory is an attack designed to change 'normal' directory objects such as a PC or laptop using malicious replication. During this attack, DCShadow impersonates a Domain Controller using administrative rights and starts a replication process, so that changes made on one Domain Controller are synchronized with other Domain Controllers.
Interested in more technical details? Select the dark button on the right
Are you interested in the inner workings of DCShadow? The dark button on the right hand side of the screen will take you to the technical details.
How can I protect myself from these types of attacks?
While it is not a vulnerability in the strict sense, it is certainly a way to hide from most SIEM systems and gain persistence. Microsoft’s Azure Advanced Threat Protection (ATP) solutions do not rely on events (only), it is one of the few ways to detect the malicious intent.
Wortell can help design and implement Azure ATP and other (cloud) security measures. However, we also provide it as a service through our Security Operations Center (SOC). Contact us for more information.
— Maarten Goet, MVP & RD