Protecting Against DCShadow

Protecting Against DCShadow

What Organizations Can Do to Stop a DCShadow Attack

Recently, I came across a post outlining how companies CANNOT effectively defend against a DCShadow attack but instead need to take a reactive approach to identify when it may have occurred by monitoring their environment, and rolling back any unwanted changes once they were identified. Unfortunately, reacting to an incident could mean the damage is already done and a malicious actor has run off with the ‘keys to the kingdom’. The best control to get a handle on a potential DCShadow attack would be to prevent one in the first place.

In this blog I will be covering the following topics:

  1. How an organization can effectively prevent or block a DCShadow attack in Mimikatz from occurring using StealthINTERCEPT
  2. How an organization can identify accounts that are capable of executing a DCShadow attack through Active Directory permissions with StealthAUDIT
  3. How an organization can detect and respond to a DCShadow attack with StealthDEFEND by recapping Lee Berg’s blog

What is a DCShadow Attack?

To start, let’s take a step back and identify what a DCShadow attack is, how it works, and why that matters to an organization. Jeff Warren already did a great post on how to attack Active Directory with DCShadow. At a high-level, a malicious actor gains access to a privileged account and wants to make some changes to persist in your environment. Directly making changes to group membership, permissions or the AdminSDHolder container would raise some red flags and set off the alarms, but with DCShadow, an attacker can make some changes and push them through with replication, circumventing most monitoring products and native event logs. If you’re not aware, DCShadow is actually a feature of the tool Mimikatz. What the tool does under the covers is register a computer as a ‘rogue’ Domain Controller in Active Directory. This is done by modifying the service principal name of a computer account, and creating a server object in the configuration partition within a Site, tricking Active Directory into thinking this is, in fact, a Domain Controller that should be trusted to replicate changes from. If you want to see a demo of this attack, be sure to check out the DCShadow attack page! This would require some pretty high privileges, if not using an account that is a member of something like Domain Admins, the account would need write access to a computer object, or more specifically ‘Write servicePrincipalName’ and ‘Create all child objects’ on the ‘Servers’ container within a Site.

What Can Organizations Do?

Block Domain Controller Promotion with StealthINTERCEPT

Thanks to my colleague Joe Dibley, I was provided some knowledge on how you can set up policies in StealthINTERCEPT to actually prevent a DCShadow attack from Mimikatz.

As you can see in the video above, a Domain Admin, who has Full Control on the Site object and a computer object is failing to execute a DCShadow attack. How is this possible? Within StealthINTERCEPT we’re locking down the capability to create new objects in a site and to modify servicePrincipalNames of computers to one Active Directory group. StealthINTERCEPT allows you to block changes made to Active Directory, so even though Domain Admins have full control on the objects through permissions, if they’re not a part of the group we’re telling StealthINTERCEPT to allow, the change will be blocked.

AUDIT Permissions

Potentially your organization isn’t ready to block Active Directory changes, or perhaps you want to just understand what permissions exist even though you’re locked down with StealthINTERCEPT. In comes StealthAUDIT Active Directory Permissions Analyzer. With StealthAUDIT, you’re able to collect and report on all of the Active Directory permissions that exist within your environment. Specifically highlighting permissions that may be used to escalate privileges, persist, or move laterally throughout your organization. That includes executing a DCShadow attack:

DCShadow Permissions report in StealthAUDIT
DCShadow Permissions report in StealthAUDIT

The report above is highlighting what users in the environment have the capability to write the servicePrincipalName attribute on a computer object through various permissions such as:

  1. Full Control
  2. Modify Permissions
  3. Write All Properties
  4. Write Property: servicePrincipalName

AND

The capability to create an object within the serversContainer on a Site through:

  1. Full Control
  2. Modify Permissions
  3. Create All Child Objects

Having one permission from both sets of permissions above could lead to the capability to execute a DCShadow attack. Being aware of what users have this access, and monitoring the actions those accounts take or removing that access, is also an effective way of stopping a DCShadow attack.

Detect and DEFEND

In the instance your organization isn’t ready to block changes made to Active Directory using StealthINTERCEPT and auditing the permissions that exist in Active Directory isn’t enough, StealthDEFEND can help you identify and respond to a DCShadow attack. Not only will StealthDEFEND identify a successful DCShadow attack, but an unsuccessful one would be identified as well. This would give you the capability to respond to and shut down an account that failed to execute DCShadow. As I mentioned above, Lee Berg has a blog post that goes into detail on how to respond to a DCShadow attack using StealthDEFEND.

Shining Light on the DCShadow

As you can see, by no means is it impossible for an organization to prevent a DCShadow attack. An organization may need to adapt and adhere to new policies to effectively mitigate the attack once StealthINTERCEPT is preventing specific changes in Active Directory, but it is definitely possible. If your organization isn’t ready to block changes, you’re still capable of identifying what privileged accounts you should be monitoring through StealthAUDIT and responding to a potential DCShadow attack with StealthDEFEND.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.