In a DC Shadow attack, the attacker pushes malicious changes to domain via domain replication. These malicious changes are pushed in such a way that it looks legitimate and therefore it's difficult to detect. To perform this attack, the attacker needs the domain admin credentials.
Once they get hold of the domain admin privilege, they will register the workstation they are working from as a new DC (rogue DC) and make changes to AD objects such as schema, ACLs, SPN values, SID- history injection, and more.
DC is represented in the AD database by an object of class nTDSDSA which can be created only in the configuration or the domain partition. Only the privileged users— BUILTIN\Administrators, DOMAIN\Domain Admins, DOMAIN\Enterprise Admins and NT AUTHORITY\SYSTEM , have control rights to nTDSDSA class.
For the rogue DC to be a part of the replication system, the following requirements should be fulfilled:
Both are fulfilled through the use of appropriate SPNs. The SPNs are used by Kerberos authentication to associate a service instance with a service logon account. For the replication process, a minimum of two SPNs (namely, the DRS service class and the global catalog service class) are required, to establish connections between the rogue DC and the other DCs.
The steps in DC Shadow attack can be outlined as follows:
The DC shadow attack starts with the adversary getting elevated privileges. So monitor for suspicious privilege escalations to stop the attack from happening.
To carry out the attack, the attacker needs to modify the SPN values of the system from which he's launching the attack. Detecting this change accurately helps you track down the DC shadow attack. Further, by employing ML-driven user behavior analytics to identify the pattern of behavior matching the registration and unregistration of rogue DC and being aware of the replication traffic pushed by them would narrow down to attack incidents.
The following are some ways to monitor your logs for DC Shadow attack:
ManageEngine's Log360 is a one-stop solution for all your log management and network security challenges that helps enterprises mitigate external and internal threats with alerting, data security, event correlation, threat intelligence and more. It allows you to audit Active Directory changes, network device logs and much more from a single console. With a powerful correlation engine, it associates events from different sources to detect suspicious patterns that resemble a DC Shadow attack.
Click here to explore the other features of Log360.
Zoho Corporation Pvt. Ltd. All rights reserved.