Understanding DCShadow attacks: From the shadows to the spotlight

Active Directory (AD) is the heart of most organizations that depend upon it to manage users, permissions, authentication, access to resources, and so much more. This also makes it an attractive target for cyberattackers who attempt to compromise the AD infrastructure to gain elevated privileges and establish their eerie persistence.

According to Cyber Defense Magazine, 90% of companies run on AD, and unfortunately, 95 million of those accounts are under attack every single day. One of the most popular techniques to breach AD is through a DCShadow attack.

In this blog, we will shed light on the following aspects of a DCShadow attack:

• What is a DCShadow attack?
• How does a DCShadow attack work?
• What are the potential impacts of a DCShadow attack?
• How do you detect a DCShadow attack?

What is a DCShadow attack?

A DCShadow attack is a post-exploitation attack where an adversary who has already compromised domain administrator credentials registers a rogue domain controller (DC) and replicates malicious changes to AD. The attack technique was discovered by two developers, Vincent Le Toux and Benjamin Delpy, who unveiled it at the BlueHat IL Conference in 2018.

The attack exploits the AD replication process and aims to push malicious changes, like changes to the security identifier (SID) history, objects, and access control lists. One of the main prerequisites for conducting this attack is for attackers to acquire the credentials of a domain admin with sufficient permissions.

How does a DCShadow attack work?

A DCShadow attack is carried out through the following steps:

1. The attacker attempts to register a workstation (i.e., a computer object) as a DC by performing the following actions:

   • They create and add a new technology directory service directory system agent (nTDSDSA) object (which represents a DC in AD) in the server configuration partition as a new member of the replication process with privileged control rights.

   • They set up the required service principal names (SPNs) to provide authentication support for other DCs to connect to the rogue DC.

     After extensive research, the researchers Le Toux and Delpy concluded that a minimum of two SPNs are required to execute the replication process. These two SPNs are:

     • The Directory Replication Service (DRS) service class: It has the well-known GUID of E3514235–4B06–11D1-AB04–00C04FC2DCD2.
     • The global catalog (GC) service class: It has the string GC.

   DCShadow Attack Workflow

2. The attacker injects the malicious changes by participating in the replication process. This can be accomplished in two ways:

   • They wait for the Knowledge Consistency Checker of the DC to initiate replication. However, with this option, there is a delay of 15 minutes by default.
   • They force the replication process by invoking the IDL_DRSReplicaAdd RPC function, which starts the immediate replication on an ad-hoc basis.

3. The attacker starts the appropriate RPC servers, like DRSAddEntry, GetNCChanges, and DRSReplicaAdd. This is required for the rogue DC to push the malicious data during the replication process.

4. The attacker can now inject illegitimate data into the targeted AD environment by means such as modifying user accounts, changing security group memberships, manipulating the schema, and creating hidden backdoors.

5. The attacker concludes the attack by removing the rogue DC and the associated objects from the configuration partition.

What are the potential impacts of a DCShadow attack?

Following a DCShadow attack, an attacker can:

• Modify user account attributes such as the description and primaryGroupID:

  This can lead to privilege escalation within AD or the manipulation of group memberships and permissions.

• Create backdoors:

  This allows the attacker to persist in the AD infrastructure, thus giving them the opportunity to cause continuous damage.

• Modify DACLs:

  This can lead to the attacker having unauthorized access to sensitive AD objects and resources, resulting in privilege escalation and potential breaches.

• Create hidden admin accounts:

  This allows the attacker to have surreptitious control over the AD environment with compromised elevated privileges.

• Manipulate the SID history:

  This can lead to unauthorized access to resources and authentication failures for legitimate users.

• Modify the AD schema:

  This manipulation can impact the entire forest and disturb the integrity and stability of the AD infrastructure.

How do you detect a DCShadow attack?

The attackers exploit the AD replication process and perform malicious changes on a workstation disguised as a DC. Furthermore, this rogue DC is de-registered after the replication is pushed. This makes it easy for the attackers to go undetected without leaving many clues. However, if organizations pay attention to some of the key events that happen in their AD environment, the DCShadow attack can be detected and mitigated.

Here are some of the prime events to watch out for:

1. Look out for anomalous privilege escalation for domain admins. Flagging any non-privileged user who has been added to the domain admin group is the best way to detect the attack in the initial stages.

2. Monitor the creation and deletion of nTDSDSA objects in the site container of the configuration partition.

3. Monitor the two Kerberos SPNs—global catalog server (GC) and DRS—required by a workstation to impersonate a rogue DC.

4. Monitor any strange administrative actions performed for the first time, such as modifications to the AD schema and the creation of unrecognized replication connections.

5. Audit the replication of AD objects to identify suspicious patterns.

A SIEM solution like ManageEngine Log360 can help organizations effectively detect and respond to the IoCs of a DCShadow attack with its various comprehensive investigative reports. Stay a step ahead by requesting a free, personalized demo today and learn how Log360 can help you bolster your organization's security.