Attacks - Active Directory Hacking

DCShadow Attack

TL;DR

A DCshadow attack is a type of attack categorized under Rogue Domain Controller(DC) technique in the MITRE ATT&CK framework (ID: T1207). A DCShadow attack is an attack on the Active Directory (AD) where an attacker registers a rogue domain controller to manipulate the AD from the created DC.

To perform a DCShadow attack, Attacker should have an Administrator privileges or similar privileges on the AD environment. Then the attacker registers a fake DC in the AD database. They then push malicious changes (e.g., privilege escalation by modifying attributes like SidHistory).

The changes bypass traditional security logs and monitoring because they mimic normal replication traffic between DCs.

Attack Demo with Mimikatz:

  1. Gain SYSTEM privileges to operate as a rogue DC.
mimikatz.exe "!+ !ProcessToken"
  1. Modify the SIDHistory of a targeted user.
mimikatz # lsadump::dcshadow /object:"CN=xLe0x,OU=Employees,DC=sub,DC=lab,DC=local" /attribute:SidHistory /value:S-5-1-5-21-2109251233-867822201-1101879966
  1. Register the rogue DC and push changes to legitimate DCs.
mimikatz # lsadump::dcshadow /push
  1. Unregister Rogue DC: After modifications, unregister the rogue DC to avoid detection.

What is DCShadow Attack?

A DCShadow attack is a type of attack categorized under Rogue Domain Controller(DC) technique in the MITRE ATT&CK framework (ID: T1207). A DCShadow attack is an attack on the Active Directory (AD) where an attacker registers a rogue domain controller to manipulate the AD from the created DC.

How it works?

  1. Prerequisites:
    • Attacker must have Administrator privileges or similar privileges on the AD environment.
  2. Registering a Rogue DC:
    • The attacker registers a fake DC in the AD database.
  3. Modifying Attributes:
    • The attacker modifies attributes like SidHistory to perform privilege escalation.
    • These changes bypass traditional security logs and monitoring.

Demo Time

Let’s demonstrate the DCShadow attack using Mimikatz:

  1. Obtaining SYSTEM Privileges: -The first step in a DCShadow attack is to elevate privileges. This is achieved by starting the mimidrv service using the commands ‘!+’ and ‘!ProcessToken’. Together, they register and initiate the “mimidrv” service, elevating privileges to SYSTEM level.
mimikatz.exe "!+ !ProcessToken"
  1. Modifying Attributes:
    • Use Mimikatz to modify the SidHistory attribute of a targeted user.
mimikatz # lsadump::dcshadow /object:" CN=xLe0x,OU=Employees,DC=sub,DC=lab,DC=local" /attribute:SidHistory /value:S-5-1-5-21-2109251233-867822201-1101879966

This command specifies the rogue server for a DCShadow attack and targets the user object xLe0x. The /object switch identifies the target user, while the /attribute switch specifies SidHistory—an attribute modified to include the SID of a Domain Admin. By adding S-5-1-5-21-2109251233-867822201-1101879966 as the /value, the xLe0x account inherits Domain Admin privileges, enabling unauthorized access and control.

  1. Pushing the changes back to a real domain controller:
  • Use Mimikatz to register the rogue DC and push changes to legitimate DCs.
mimikatz # lsadump::dcshadow /push
  1. Unregistering the Rogue DC:
    • After replication completes, MimiKatz cleans up signs of the compromise: deleting the rogue domain controller and other objects from the Configuration partition.

Impact

  • Privilege Escalation: Attackers can add high-privilege account SIDs to gain unauthorized admin access.
  • Persistence: Attackers can maintain access undetected even after initial breaches are addressed.
  • Bypassing ACLs: Privileged SIDs in SIDHistory allow attackers to bypass access controls.
  • Undetected Changes: Changes made through DCShadow evade conventional detection methods.
  • Replication Abuse: Unauthorized changes are replicated across all domain controllers..

Detection

  1. Network Monitoring:

    • Analyze DRSUAPI_REPLICA_ADD RPC requests originating from systems not known to be domain controllers.

  2. Windows Event Logs:

    • Monitoring the following event IDs can provide clues about a potential DCShadow attack:
      • Event ID 4928 - An Active Directory replica source naming context was established.
      • Event ID 4929 - An Active Directory replica source naming context was removed.
      • Event ID 5136 - The Windows Filtering Platform has allowed a connection.
      • Event ID 5141 - A directory service object was deleted.

Additional Insights

  • Mimicking a Domain Controller:
    To perform a DCShadow attack, the attacker must add a new NTDSDSA object and servicePrincipalName (GC) to a non-DC computer object. These changes are reversed after the attack.

Mitigation

  1. Implementing Firewall Policies:

    • Use host-based firewalls to limit lateral movement.
    • Ensure remote management protocols like RDP are accessible only from a small set of approved and monitored systems.

  2. Limit User Privileges:

    • Minimize the number of users with administrative privileges across security boundaries to reduce the risk of privilege escalation.

  3. Control Access to Computer Objects:

    • Limit the number of users with permissions to add computer objects to Active Directory, preventing unauthorized changes.

  4. Reduce Delegated Administrative Permissions:

    • Properly govern built-in privileged groups and delegated administrative permissions to prevent abuse.

  5. Maintain Good Active Directory Hygiene:

    • Regularly remove unused sites and computer objects to reduce the attack surface and maintain a secure AD environment.