Active Directory Attack - DCShadow
DCShadow is a new feature in Mimikatz located in the lsadump module. It simulates the behavior of a Domain Controller (using protocols like RPC used only by DC) to inject its own data, bypassing most of the common security controls and including your SIEM. DCShadow is sneaky attack technique in the post exploitation phase in Internal Pentest. In simple words, if you already compromised Domain Admin and some regular domain users in SIEM monitored network then using this attack (DCShadow) you can bypass alerts getting triggered and maintain persistence.
Lets demo this attack in our lab setup. As we can see from below screenshot we got access to two users. (pc - Domain Admin and Victim1 - Domain User)
Download the fresh copy of Mimikatz and transfer to the compromised workstation. Open the CMD (window-1) with with system privileges. Use !+ to register service and start with system privileges. Then use !processtoken to steal SYSTEM token from service running to fake Domain Controller.
So what evil we can think of now ? Changing the user 's privileges from Domain User to Domain Admin ;) Lets change the primaryGroupID of victim1 to 521 (Domain Admin)
Note : You can modify any User Attributes inside Active Directory using above attack.
Open one more CMD (window-2) with Domain Admin privileges. And type below command to push changes to Domain Controller.
Seems everything worked fine. Lets verify did the group membership for Victim1 changed or not ?
Voila !! Victim1 is now the "Domain Admins" member with generating minimal or zero alerts on the network.
Below chart shows the feature which Mimikatz can abuse using above attack technique. (We abused first feature :- Modify existing objects)
Is there any way to detect this attack ? Yes there is powershell script (proof of concept) by name UnCoverDCShadow can generate the alerts for this attack from any domain connected machine. Also there are some rules released for Suricata.
Reference :- https://www.dcshadow.com/