The is an which tries to modify existing in the Active Directory by using legitimate API’s which are used by domain controllers. This technique can be used in a workstation as a post-domain compromise tactic for establishing domain persistence bypassing most SIEM solutions. Originally it has been introduced by Benjamin Delpy and Vincent Le Toux and is part of the Mitre Attack Framework. More details about the attack, including the presentation talk can be found in the DCShadow page.

The mimidrv.sys file which is part of Mimikatz needs to be transferred to the workstation that will the role of DC. Executing the command “!+” will register and a start a service with SYSTEM level privileges. The “!processtoken” will obtain the SYSTEM token from the service to the current session of Mimikatz in order to have the appropriate privileges to implement the Domain Controller.

Mimikatz - Register a Service and Obtain SYSTEM Token  - mimikatz register a service and obtain system token - DCShadow | Penetration Testing Lab

Mimikatz – Register a Service and obtain SYSTEM token

A new instance of Mimikatz needs to be started with Domain Administrator privileges that would be used to authenticate with legitimate domain controller and push the changes from the rogue DA to the legitimate. The following command will verify the process token.

Mimikatz - Retrieve User Token  - mimikatz retrieve user token - DCShadow | Penetration Testing Lab

Mimikatz – User Token

Executing the following command from the Mimikatz instance that is running with SYSTEM privileges will start a minimalistic version of a Domain Controller.

lsadump::dcshadow /object:test /attribute:url /
Mimikatz - DCShadow on url Attribute  - mimikatz dcshadow on url attribute - DCShadow | Penetration Testing Lab

Mimikatz – DCShadow & URL Attribute

The following command will replicate the changes from the rogue domain controller to the legitimate.

lsadump::dcshadow /push
DCShadow - Push  - dcshadow push - DCShadow | Penetration Testing Lab

DCShadow – Replicate attributes in the Domain Controller

Checking the properties of the “test” user will verify that the url attribute has modified to include the new value indicating that the DCShadow attack was successful.

DCShadow - url value  - dcshadow url value - DCShadow | Penetration Testing Lab

DCShadow – url Attribute

It is also possible to modify the value of the attribute primaryGroupID in order to perform privilege escalation. The value 512 is the Identifier (SID) for the Domain Administrators group.

lsadump::dcshadow /object:test /attribute:primaryGroupID /value:512
DCShadow - Add User to Domain Admin Group  - dcshadow add user to domain admin group - DCShadow | Penetration Testing Lab

DCShadow – Add User to Domain Admin Group

The user “test” will be part of the Domain Administrator group. This can verified by retrieving the list of domain administrators. The screenshot below illustrates the domain administrators before and after the DCShadow attack.

net group "domain admins" /domain
DCShadow - Escalate User to Domain Admin  - dcshadow escalate user to domain admin - DCShadow | Penetration Testing Lab

DCShadow – Verification that test user is DA


The DCShadow attack offers various possibilities to the red teamer to achieve domain persistence by manipulating the SID History, the password of the krbtgt account or by adding users to elevated groups such as Domain and Enterprise Admins. Even though that this attack requires elevated privileges (DA), Nikhil Mittal discovered that it is possible DCShadow to be conducted from the perspective of a domain user that has the required permissions to avoid the use of DA privileges. This script is part of the Nishang framework and can be found here. Usage of legitimate API’s to communicate and push data to the active directory is a stealth method to modify the active directory without triggering alerts on the SIEM.

Source link


Please enter your comment!
Please enter your name here