In this blog post, we’ll be covering the DCShadow attack and how we can use StealthDEFEND to detect and respond to this type of attack. DCShadow was the topic of previous STEALTHbits Blog post, so in this post, we’ll start with a review of DCShadow and then focus on how we can DETECT and RESPOND to this attack with StealthDEFEND.
Introduction to DCShadow
DCShadow is another late-stage kill chain attack that allows an attacker with privileged credentials to register a “rogue” domain controller in order to PUSH changes to a domain via domain replication. These injected replicated events are registered, processed, and committed as legitimate domain replication. This allows an attacker to push changes via replication in a manner that is very hard to detect.
“DCShadow” itself is a command within the Mimikatz lsadump module that was released in early 2018. This command relies on utilizing specific commands within the Microsoft Directory Replication Service Remote Protocol MS-DRSR and by creating records in the configuration partition to complete the bare minimum requirements to register a machine as a domain controller. Once the machine is registered an attacker can push changes and then unregister the rogue dc to even further covering their tracks. By Utilizing these protocols and processes, an attacker takes advantage of valid and necessary functions of Active Directory replication, which cannot be turned off or disabled.
Inside the Attack
Once an attacker has obtained privileged access (an account with domain replication rights), the attacker can utilize replication protocols to mimic a domain controller.
The following is a summarization of how the attack works:
- An attacker obtains Domain Admin rights and wants to make changes that will not be detected to create persistence.
- Using DCShadow the attacker will register the computer it is run from (such as a workstation) as a Domain Controller in Active Directory by making changes to the AD’s Configuration schema and the workstation’s SPN values. Now AD thinks this workstation is a Domain Controller and it is trusted to replicate changes.
- A change such as: (SIDHistory, AdminSDHolder, Passwords, Account Details, Group Membership) is crafted by the attacker and submitted for replication.
Replication is triggered by DCShadow and the change is replicated and then committed by a legitimate Domain Controller
DCShadow Detection with StealthDEFEND StealthDEFEND has a DCShadow threat right out of the box that has been built from the ground up to detect a DCShadow attack. StealthDEFEND actively monitors all Domain Replication and Change Events for signs of DCShadow. The primary method used to detect DCShadow is finding patterns of behavior matching the registration and unregistration of “rogue domain controllers” and being aware of the replication traffic being pushed by them.
In this example, we have identified a new domain controller being added and removed from the domain very quickly in a suspicious manner. We have also identified the source of the attack having an unsupported operating system (Windows 10) that does not support the domain controller role.
In the expanded event details grid, we will also be presented with the specific changes that were made as part of the DCShadow attack.
DCShadow Threat Response with StealthDEFEND
Given the fact that in order to successfully execute a DCShadow attack, the perpetrator already needs an elevated privilege in order to make the change to register the domain controller and execute replication. Since the attacker already has achieved this high level of privilege an immediate response to contain further damage and infiltration by an attacker is needed.
A Standard playbook response of disabling users may not be enough in itself, as by the time this has happened the attacker likely has a host of other resources and options available to them to utilize.
The Automated Context Injection capabilities of StealthDEFEND provides us with the perpetrator, sources, targets, and other information related to the DCShadow attack that can be utilized by our response steps. In the eventuality of a DCShadow attack, the best first step is to communicate that the attack has occurred and get the right information in front of the right people in the organization. By integrating with a number of third-party products such as Slack, Microsoft Teams, and ServiceNow we are able to facilitate this.
StealthINTERCEPT Blocking policies can be also used to prevent the perpetrating account or workstation from executing additional replication, authentication, and other activities which may help slow down an attacker and give responders more time to completely eliminate the threat.