How Does the DCShadow Attack Work?
Below are five of the most notable steps in a DCShadow attack:
Step 1 – Register workstation as DC
A DCShadow attack works by an attacker attempting to register a workstation as a Domain Controller (DC) in the target Active Directory (AD) environment. This is achieved by creating a new nTDSDSA object (a DC) in the server configuration partition and adding it to the replication process with privileged control rights.
Step 2 – Setup Kerberos authentication support
The attacker then sets up the required Kerberos authentication support by creating two Service Principal Names (SPNs): the DRS service class (E3514235-4B06-11D1-AB04-00C04FC2DCD2) and the Global Catalog service class (GC).
Step 3 – Inject malicious data
The next step is to inject malicious changes into the replication process. The attacker waits for the Knowledge Consistency Checker of the DC to initiate replication, which typically takes 15 minutes, or forces the process by invoking the IDL_DRSReplicaAdd RPC function, which starts immediate replication on an ad-hoc basis. This allows the rogue DC to participate in the replication process and inject malicious data.
Step 4 – Start Remote Protocol Calls
To push the malicious data into the replication process, the attacker starts Remote Protocol Calls (RPC) servers, including Drs AddEntry, GetNCChanges, and DrsReplicaAdd. This enables the rogue DC to inject illegitimate data into the targeted AD environment, including modified user accounts and security group memberships, manipulated schema, and the creation of backdoors.
Step 5 – Remove Rogue DCs
Finally, the attacker concludes the attack by removing the rogue DC and associated objects from the configuration partition, leaving behind a compromised AD environment with malicious data.
Impact of a DCShadow Attack
A DCShadow attack can have significant impacts on an organization’s security and integrity. The attack can modify discretionary access control lists (DACLs), allowing attackers to gain elevated privileges and unauthorized access to resources. Below are some other notable consequences of a DCShadow attack:
Unauthorized Access and Privilege Escalation
A DCShadow attack can modify user account attributes, such as the description, primary group ID, and other settings. This can lead to privilege escalation, allowing attackers to assume higher-level privileges and potentially even administrative control.
Persistence and Lateral Movement
A DCShadow attack can create hidden administrative accounts, providing attackers with a means of persistence and allowing them to move laterally within the network. The attack can create backdoors, providing persistent entry points for attackers to gain access to the system. Furthermore, a DCShadow attack will also target trusted domains, allowing attackers to move laterally across the network.
Vulnerabilities in Active Directory
A DCShadow attack can manipulate the Security Identifier (SID) history, allowing attackers to access unauthorized resources. This can also lead to replication errors, as the SID history is used to track changes to the directory. The attack can modify the object’s metadata, leading to vulnerabilities in the Active Directory (AD) database.
Compromise of Integrity and Entry Points
A DCShadow attack can compromise the integrity of the AD and provide attackers with an entry point to exploit vulnerabilities in the system. In addition, the attack can modify the AD schema, creating vulnerabilities in the AD database. This can also enable attackers to exploit sensitive information and assume control over the system.
How to Protect Against DCShadow Attacks
Protecting against DCShadow attacks is a complex task, as they exploit native features of Active Directory rather than vulnerabilities that can be addressed through patching. A crucial aspect of defense is recognizing that an attacker must possess Domain Admin or Enterprise Admin privileges to execute a DCShadow attack. Therefore, the most effective way to prevent this attack is to ensure that no one gains unauthorized access to these highly privileged security groups: the Domain Admin group and the Enterprise Admin group.
Detect DCShadow attacks
Detecting DCShadow attacks requires careful monitoring for specific changes on a computer. A key indicator of a DCShadow attack is the modification of Computer Service Principal Names (SPNs) on a computer that is not a domain controller.
Two SPNs in particular are indicative of a DCShadow attack: the Global Catalog server SPN and the Directory Replication Service (DRS) SPN (E3514235–4B06–11D1-AB04–00C04FC2DCD2).
To detect these changes, look for the addition of these SPNs, followed by their removal. Use Event ID 4742 to monitor for these modifications, which will reveal the user who initiated the change, thereby identifying the Domain Admin account being used to conduct the attack.
How DCShadow Creates and Deletes DCs
The DCShadow attack is capable of creating and deleting domain controllers (DCs) by exploiting the Sites container in the Configuration Namespace. During this process, DCShadow creates a new DC and its corresponding NTDS settings, then replicates the changes to other locations. However, it promptly deletes the entries to conceal its tracks, leaving behind a anomalies in the event logs.
Specifically, event ID 5137 will contain information about the rogue DC, including its name, GUID, object class, and the account responsible for creating it. This unusual sequence of events can be tracked to identify the rogue DC, providing insight into the malicious activity.
Unusual Replication Event & Replication Failure
Detecting DCShadow attacks can be achieved through monitoring replication, although it may be challenging to distinguish these events from genuine replication activities. A useful indicator that can aid in detection is Event ID 4929, which indicates the removal of a source naming context and typically points to the rogue DC as the source. If this event occurs on a computer that is not a recognized domain controller, it should raise concerns.
Additionally, the pair of events 4935 and 4936, which typically indicate a replication failure, can also be linked to a DCShadow attack.
How Lepide Helps Detect DCShadow Attacks
The Lepide Data Security Platform can detect and respond to DCShadow attacks. The platform’s built-in threat detection capabilities monitor all domain replication and change events in real-time, identifying suspicious behavior indicative of DCShadow attacks. This includes monitoring for the addition and deletion of domain controllers and replication traffic.
Upon detection, an intuitive dashboard will present a detailed breakdown of the changes made as part of the attack, such as the addition of a new domain controller running Windows 10, which is incompatible with the domain controller role. While prompt detection is crucial, prompt response is equally important, as an attacker has likely compromised a highly privileged account.
To respond effectively, Lepide offers automated response options, enabling users to create customized scripts for each threat or vulnerability. These scripts may include a notification of the attack, critical attack details, and facilitate communication with relevant stakeholders through integration with tools like Slack, Microsoft Teams, and ServiceNow.