Ga naar content

DCShadow: detecting a rogue domain controller replicating malicious changes to your Active Directory

Earlier this year, during Microsoft’s invite-only premier security conferenceBlueHat in Israel, the creator behind the popular mimikatz tool, Benjamin Delpy, along with Vincent Le Toux announced a new post-exploitation dominance method for Active Directory which they call DCShadow.

While it is not a vulnerability in the strict sense, it is certainly a way to hide from most SIEM systems and gain persistence. Because Microsoft’s Advanced Threat Protection (ATP) solutions do not rely on events (only), it is one of the few ways to detect the malicious intent.

I could be anything, so I choose to be a Domain Controller

A DCShadow attack on Active Directory is an attack designed to change directory objects using malicious replication. During this attack, DCShadow impersonates a Domain Controller using administrative rights and starts a replication process, so that changes made on one Domain Controller are synchronized with other Domain Controllers. DCShadow abuses the Directory Replication Service (DRS) Remote Protocol [MS-DRSR] and Active Directory Technical specification [MS-ADTS].

If you want to get the TL;DR on how Active Directory works with regards to domain controllers, the replication process, and the exact inner working of DCShadow, please head over to an excellent in-depth blog by Luc Delsalle.

Rogue replication

As Luc points out, the research done by Vincent and Benjamin learns us that there are only two SPN’s needed to register on the computer account so that it will be accepted into the replication process by other Domain Controllers.

Mimikatz will execute the DCShadow attack as a three step process: (1) it will set these SPN’s as part of the DCShadow functionality, (2) it will temporarily host the necessary RPC functions required by MS-DRSR process to serve the illegitimate data for outbound replication, and (2) as a last step, Mimikatz will force replication through the IDL_DRSReplicaAdd RPC.

Here’s a high-level overview and flowchart:

What is DCShadow not?

It is not a way to do privilege escalation. You already need to be part of the Domain Admins or Enterprise Admins group, as you will need the rights to “register yourself as a new member of the replication process”.

But once you get there, you can use DCShadow to further work on domain dominance, modify Active Directory without being noticed by SIEM systems, and use it as a way to gain persistence. There is one caveat: one of the main limitations of the attack is the impossibility for an attacker to inject new objects in the targeted AD domain.

Sneak by the SIEM system

One of the main strengths of DCShadow is its ability to be reasonably stealth for attackers. In a general case, Domain Controllers are in charge of creating events when a security process occurs. With DCShadow, illegitimate actions are taken on a rogue DC. The event logs that could have helped blue teams to detect the attack (using their SIEM, for instance) will never be created. This also means that there are no Yara rules to look at and import into your system.

This means that Blue teams need to completely rethink their strategy and shift their focus from log analysis to Active Directory configuration analysis. MITRE’s ATT&CK framework provides direction on where to start if you want to involve network monitoring:

“Monitor and analyze network traffic associated with data replication (such as calls to DrsAddEntry, DrsReplicaAdd, and especially GetNCChanges) between DCs as well as to and from non-DC hosts. DC replication will naturally take place every 15 minutes but can be triggered ad-hoc by an attacker.”

Advanced Threat Protection (ATP) to the rescue

The successor to Microsoft ATA, Microsoft’s solution for protecting your Active Directory, is now called Azure ATP. It does not rely on events that get forwarded from your domain controller, but instead uses its own sensors that your install on your DC. This sensor does also capture events, but also looks at network traffic, in memory processes and other new methods get added as detections need them. This is why Azure ATP actually detects (potential) DCShadow attacks.

Microsoft also has aggregated endpoint protection called Windows Defender ATP (WDATP). You can have Windows Defender on your Windows Servers connect to the central service and get insights on what is happening on your member servers. For instance, if Mimikatz is being used.
Through Microsoft’s new intelligent security graph, these ATP services connect together and provide a holistic view of your environment. You can pivot from Azure ATP’s identity-centric view to Windows Defender ATP’s machine- & user-centric views and vice versa. This way you can track an attacker’s lateral movement.

Part of a Blue team? Practice DCShadow!

Are you a defender, and on the “blue team”? Run the DCShadow attack yourself and see if you can detect it, to become a better defender. Start Mimikatz, running as an account that is part of Domain Admins or Enterprise Admins:

Now start another mimikatz process (leave the other window open) and push the object changes:

If you don’t have Microsoft’s ATP solutions in place, or are simulating the DCShadow attack in a lab, there are two other options for you to detect the attack.

On GitHub you’ll find DCSYNCMONITOR which you can compile and run as a service on your Domain Controller; when an attempt is detected, the tool will write an event to the event log.

There is also a proof-of-concept PowerShell script called Uncover-DCShadow available on GitHub that can detect the attack.

— Maarten Goet, MVP & RD