Active Directory Attack - DCShadow

DCShadow is a new feature in Mimikatz located in the lsadump module. It simulates the behavior of a Domain Controller (using protocols like RPC used only by DC) to inject its own data, bypassing most of the common security controls and including your SIEM. DCShadow is sneaky attack technique in the post exploitation phase in Internal Pentest. In simple words, if you already compromised Domain Admin and some regular domain users in SIEM monitored network then using this attack (DCShadow) you can bypass alerts getting triggered and maintain persistence.
Lets demo this attack in our lab setup. As we can see from below screenshot we got access to two users. (pc - Domain Admin and Victim1 - Domain User)

Download the fresh copy of Mimikatz and transfer to the compromised workstation. Open the CMD  (window-1) with with system privileges. Use !+ to register service and start with system privileges. Then use !processtoken to steal SYSTEM token from service running to fake Domain Controller.

So what evil we can think of now ? Changing the user 's privileges from Domain User to Domain Admin ;) Lets change the primaryGroupID of victim1 to 521 (Domain Admin)

Note : You can modify any User Attributes inside Active Directory using above attack.

In CMD (window-1) type below command to modify primaryGroupID of Victim1.

Open one more CMD (window-2) with Domain Admin privileges. And type below command to push changes to Domain Controller.

Seems everything worked fine. Lets verify did the group membership for Victim1 changed or not ?

Voila !! Victim1 is now the "Domain Admins" member with generating minimal or zero alerts on the network.

Below chart shows the feature which Mimikatz can abuse using above attack technique. (We abused first feature :- Modify existing objects)

Is there any way to detect this attack ? Yes there is powershell script (proof of concept) by name UnCoverDCShadow can generate the alerts for this attack from any domain connected machine. Also there are some rules released for Suricata.

Reference :-


  1. Usually I never comment on blogs but your blog is so realistic that I cannot stop myself to say about it. You’re doing a great job, Very informative blog with lots of facts. Keep it up.
    Regards Security Guards Los Angeles

  2. It's very useful article with inforamtive and insightful content and i had good experience with this information.Enroll today to get free access to our live demo session which is a great opportunity to interact with the trainer directly which is a placement based Salesforce training India with job placement and certification . I strongly recommend my friends to join this Salesforce training institutes in hyderabad practical course, great curriculum Salesforce training institutes in Bangalore with real time experienced faculty Salesforce training institutes in Chennai. Never delay to enroll for a free demo at Salesforce training institutes in Mumbai who are popular for Salesforce training institutes in Pune.


Post a comment

Popular Posts