STEALTHbits’ products provide a multitude of ways to detect and mitigate the DCShadow attack.
Detection of DCShadow is possible by looking for the process of registering any system other than a Domain Controller with the required SPNs to perform the attack.
Domain Controller Impersonation
Monitor for modification to the SPN values for any computers not in the Domain Controllers Group or OU with values including:
The ability to perform the DCShadow attack requires elevated rights within Active Directory, typically those of a Domain Administrator. The best mitigation is to protect and closely monitor your Domain Admins and other privileged groups. However, it is also possible to perform DCShadow using a least privilege model and therefore permissions on Active Directory should be inspected to ensure no unnecessary users have these elevated rights.
Active Directory Domain Permissions
Review the following domain permissions to make sure you approve all authorized users/groups:
As well as these permissions on the Sites object
Remove any unnecessary permissions.