Why Most Organizations Still Can’t Defend against DCShadow

By Darren Mar-Elia July 16, 2019 | General

DCShadow is a readily available technique that allows an attacker to establish persistent privileged access in Microsoft Active Directory (AD).

Specifically, DCShadow allows an attacker with privileged access to create and edit arbitrary objects in AD without anyone knowing. This allows the attacker to create backdoors all over AD that can’t be detected, even if the original privileged access is.

Much has been written about DCShadow, yet most organizations still can’t defend against it.

While that’s a huge concern, it shouldn’t come as a complete surprise given that DCShadow is specifically designed to circumvent existing security measures. So, what can you do about it?

What is DCShadow

DCShadow is a feature of the open-source Mimikatz utility (available for download here). Mimikatz is the leading post-exploitation tool for Windows credential-based attacks and has been used in many of today’s most destructive cyberattacks, including LockerGoga, NotPetya, WannaCry, SamSam, and no doubt more to come.

How DCShadow works

DCShadow circumvents existing security measures in several different ways:

1. Exploits the normal replication mechanism in AD

DCShadow is not related to a Windows vulnerability, so there’s no security patch you can apply to eliminate your exposure. It’s also not related to AD configuration, so there’s no setting you can change close a loophole.

2. Evades detection by bypassing Windows security event logging

DCShadow allows any Windows server to impersonate a domain controller (DC) and inject changes directly into the AD replication stream. Such changes aren’t recorded in security event logs, and there’s no audit setting you can adjust to change that. As a result, SIEM systems and most AD change tracking tools don’t see – and can’t alert you to – changes made by the attacker to maintain privileged access (such as creating a new user and making it a member of the Domain Admins group).

3. Allows an attacker to inject any change into AD

For example, an attacker can add the SID of an enterprise or domain admin to the SID History of a regular user account and get privileged access via that account. So, even if you restrict changes to the Enterprise Admins and Domain Admins groups, an attacker can still get enterprise or domain admin rights. And, if you monitor changes to sensitive security groups, you won’t catch an attacker with privileged access via SID History.

DCShadow is also incredibly efficient: an attacker only has to use their original privileged access once and can create any number of untraceable backdoors in just a second or two.

In one Mimikatz console, the attacker queues up all the backdoors they want to create in AD (new user accounts, group memberships, SID History) etc.:

DCShadow Blog - Adding Domain Admin SID

In this example, the attacker has queued up just one change (adding a domain admin’s SID to a regular user’s SID History), but the attacker could easily queue up 15 or 20 or more changes.

In a second Mimikatz console, the attacker “pushes” the changes into the AD replication stream:

DCShadow Blog - Fake Domain Controller

The injection of changes happens in just a second or two, including the time it takes to register and unregister the fake DC.

What you can do about DCShadow

In part 2 of this blog post, I’ll talk about steps you can take to defend against DCShadow.

As you might guess, one way is to monitor changes in the AD replication stream. If you’d like a sneak peek at that approach – or a demo of a DCShadow attack – you can view a short (8-minute) video that I recorded recently. The video is available here.

About the author
Darren Mar-Elia
Darren Mar-Elia VP Products
A 14-year Cloud and Datacenter Microsoft MVP, Darren has a wealth of experience in Identity and Access Management and was the CTO and founder of SDM software, a provider of Microsoft systems management solutions. Prior to launching SDM, Darren held senior infrastructure architecture roles in Fortune 500 companies and was also the CTO of Quest Software. As a Microsoft MVP, Darren has contributed to numerous publications on Windows networks, Active Directory and Group Policy, and was a Contributing Editor for Windows IT Pro Magazine for 20 years. Linkedin
Unlock cyber resilience. Get a demo