DCShadow

How to detect and mitigate DCShadow attacks

DCShadow enables an attacker (using Mimikatz) to create a fake Active Directory Domain Controller (DC) that can replicate malicious changes to legitimate DCs.

DCShadow attacks are difficult to detect. Because the changes are committed through replication, these changes are not logged to the event log the way other changes would be. The DC is where changes normally originate, but in this case there is no actual DC.

DCShadow attacks are difficult to prevent. The DCShadow attack uses native features of Active Directory (AD), so it is not a vulnerability and cannot be patched.

Request a Free Trial

Powered by ChronoForms - ChronoEngine.com

DCShadow

STEALTHbits’ products provide a multitude of ways to detect and mitigate the DCShadow attack.

Detect DCShadow Attack

Detection of DCShadow is possible by looking for the process of registering any system other than a Domain Controller with the required SPNs to perform the attack.

APPROACH

Domain Controller Impersonation

DESCRIPTION

Monitor for modification to the SPN values for any computers not in the Domain Controllers Group or OU with values including:

  • Any value starting with GC/
  • The well-known GUID of the DRS service class E3514235–4B06–11D1-AB04–00C04FC2DCD2

PRODUCT: StealthDEFEND

Download our complete attack-to-product mapping guide.

Download

Mitigate DCShadow Attack

The ability to perform the DCShadow attack requires elevated rights within Active Directory, typically those of a Domain Administrator. The best mitigation is to protect and closely monitor your Domain Admins and other privileged groups. However, it is also possible to perform DCShadow using a least privilege model and therefore permissions on Active Directory should be inspected to ensure no unnecessary users have these elevated rights.

APPROACH

Active Directory Domain Permissions

DESCRIPTION

Review the following domain permissions to make sure you approve all authorized users/groups:

  • Add/Remove Replica in Domain (DS-Install-Replica)
  • Manage Replication Topology (DS-Replication-Manage-Topology)
  • Replication Synchronization (DS-Replication-Synchronize)

As well as these permissions on the Sites object
(CN=Sites,CN=Configuration,DC=domain,DC=com):

  • Create all child objects
  • Delete all child objects

Remove any unnecessary permissions.

PRODUCT: StealthAUDIT

Seeing is believing.

Request a Demo

Resources

StealthAUDIT for Active Directory

Data Sheet

Learn More

StealthDEFEND for Active Directory

Data Sheet

Learn More

StealthINTERCEPT Enterprise Password Enforcer

Data Sheet

Learn More

Free Risk Analysis STEALTHbits' Credentials and Data Security Assessment is your Business-Justification-in-a-Box!x