Skip to content

Latest commit

 

History

History
32 lines (19 loc) · 2.18 KB

T1207.md

File metadata and controls

32 lines (19 loc) · 2.18 KB

T1207 - DCShadow

DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a Domain Controller (DC). (Citation: DCShadow Blog) (Citation: BlueHat DCShadow Jan 2018) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.

Registering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity Mimikatz Guide)

This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform SID-History Injection and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. (Citation: DCShadow Blog) (Citation: BlueHat DCShadow Jan 2018)

Atomic Tests


Atomic Test #1 - DCShadow - Mimikatz

Utilize Mimikatz DCShadow method to simulate behavior of a Domain Controller

DCShadow Additional Reference

Supported Platforms: Windows

Run it with these steps!

  1. Start Mimikatz and use !processtoken (and not token::elevate - as it elevates a thread) to escalate to SYSTEM.
  2. Start another mimikatz with DA privileges. This is the instance which registers a DC and is used to "push" the attributes.
  3. lsadump::dcshadow /object:ops-user19$ /attribute:userAccountControl /value:532480
  4. lsadump::dcshadow /push