AD Attack: DC Shadow Attack

  • Home
  • AD Attack: DC Shadow Attack

In a DC Shadow attack, the attacker pushes malicious changes to domain via domain replication. These malicious changes are pushed in such a way that it looks legitimate and therefore it's difficult to detect. To perform this attack, the attacker needs the domain admin credentials.

Once they get hold of the domain admin privilege, they will register the workstation they are working from as a new DC (rogue DC) and make changes to AD objects such as schema, ACLs, SPN values, SID- history injection, and more.

Understanding DC Shadow attack

DC is represented in the AD database by an object of class nTDSDSA which can be created only in the configuration or the domain partition. Only the privileged users— BUILTIN\Administrators, DOMAIN\Domain Admins, DOMAIN\Enterprise Admins and NT AUTHORITY\SYSTEM , have control rights to nTDSDSA class.

For the rogue DC to be a part of the replication system, the following requirements should be fulfilled:

  1. Valid authentication credential to let other DCs establish connection to the rogue DCs.
  2. Provide authentication support to let the rogue DC connect to other DCs.

Both are fulfilled through the use of appropriate SPNs. The SPNs are used by Kerberos authentication to associate a service instance with a service logon account. For the replication process, a minimum of two SPNs (namely, the DRS service class and the global catalog service class) are required, to establish connections between the rogue DC and the other DCs.

The steps in DC Shadow attack can be outlined as follows:

  1. Obtain administrator privileges.
  2. Set up the required SPNs on the workstation they are working from.
  3. Create the NTDS-DSA object in the server configuration partition
  4. Impersonate environment as the computer account. Use the authentication context of the computer holding the SPNs.
  5. Start the appropriate RPC server, such as DrsAddEntry, DrsReplicaAdd, and GetNCChanges.
  6. Force the replication process

Detecting a DC Shadow Attack

The DC shadow attack starts with the adversary getting elevated privileges. So monitor for suspicious privilege escalations to stop the attack from happening.

To carry out the attack, the attacker needs to modify the SPN values of the system from which he's launching the attack. Detecting this change accurately helps you track down the DC shadow attack. Further, by employing ML-driven user behavior analytics to identify the pattern of behavior matching the registration and unregistration of rogue DC and being aware of the replication traffic pushed by them would narrow down to attack incidents.

The following are some ways to monitor your logs for DC Shadow attack:

  1. Monitor the network traffic associated with data replication such as calls to DrsAddEntry, DrsReplicaAdd, and especially GetNCChanges, between DCs as well as to/from non DC hosts and the associated events (Event ID 4928 and Event ID 4929).
  2. Monitor Kerberos Service Principal Names (SPNs), especially those associated with services (beginning with "GC/") by computers not present in the DC organizational unit (OU). The SPN associated with the Directory Replication Service (DRS) Remote Protocol interface (GUID E3514235–4B06–11D1-AB04–00C04FC2DCD2) can be set without logging.
  3. Periodically analyze the Configuration partition of the AD schema and alert on creation of nTDSDSA objects.

ManageEngine's Log360 is a one-stop solution for all your log management and network security challenges that helps enterprises mitigate external and internal threats with alerting, data security, event correlation, threat intelligence and more. It allows you to audit Active Directory changes, network device logs and much more from a single console. With a powerful correlation engine, it associates events from different sources to detect suspicious patterns that resemble a DC Shadow attack.

Click here to explore the other features of Log360.

Products mentioned on this page:

Recently added chapters


Get the latest content delivered
right to your inbox!


Cyber Security - Knowledge Base


  Zoho Corporation Pvt. Ltd. All rights reserved.