The DCShadow attack exploits a switch in the Mimikatz utility that enables privileged users to inject malicious changes into Active Directory (AD) without detection. DCShadow takes advantage of native AD replication to avoid sending events to the AD security logs.

DCShadow methodology:

  • DCShadow empowers attackers (with admin rights) to spin up a fake Domain Controller (DC) that can quickly distribute changes to legitimate DCs using normal replication mechanisms.
  • Privileged users create a temporary DC object in the configuration naming context and keep it there just long enough (under 30 seconds) to push AD changes into an existing read-write DC. From there, replication is triggered by the legitimate “trusted” DC
  • Now, because these changes originated on the fake DC, security event logs have no record of what took place – SIEMs are blind to the impending assault. Ultimately, the attacker’s movements go unchecked, leaving behind a persistent threat.

Watch this video presentation to learn how to defend against this emerging threat. Presented by a 14-year Cloud and Datacenter Microsoft MVP, Darren Mar-Elia has a wealth of experience in Identity and Access Management and was the CTO and founder of SDM software, a provider of Microsoft systems management solutions.