Netwrix and Stealthbits merge to better secure sensitive data. LEARN MORE

DCShadow

How to detect and mitigate DCShadow attacks

DCShadow enables an attacker (using Mimikatz) to create a fake Active Directory Domain Controller (DC) that can replicate malicious changes to legitimate DCs.

DCShadow attacks are difficult to detect. Because the changes are committed through replication, these changes are not logged to the event log the way other changes would be. The DC is where changes normally originate, but in this case there is no actual DC.

DCShadow attacks are difficult to prevent. The DCShadow attack uses native features of Active Directory (AD), so it is not a vulnerability and cannot be patched.

    Request A Free Trial

    Thank You For Your Request

    A Stealthbits representative will contact you shortly.

    If you have any questions, you can contact our sales department by sending an inquiry to sales@stealthbits.com.


    DCShadow

    Stealthbits’ products provide a multitude of ways to detect and mitigate the DCShadow attack.

    Detect DCShadow Attack

    Detection of DCShadow is possible by looking for the process of registering any system other than a Domain Controller with the required SPNs to perform the attack.

    APPROACH

    Domain Controller Impersonation

    DESCRIPTION

    Monitor for modification to the SPN values for any computers not in the Domain Controllers Group or OU with values including:

    • Any value starting with GC/
    • The well-known GUID of the DRS service class E3514235–4B06–11D1-AB04–00C04FC2DCD2

    PRODUCT: StealthDEFEND

    DOWNLOAD OUR COMPLETE ATTACK-TO-PRODUCT MAPPING GUIDE

    Mitigate DCShadow Attack

    The ability to perform the DCShadow attack requires elevated rights within Active Directory, typically those of a Domain Administrator. The best mitigation is to protect and closely monitor your Domain Admins and other privileged groups. However, it is also possible to perform DCShadow using a least privilege model and therefore permissions on Active Directory should be inspected to ensure no unnecessary users have these elevated rights.

    APPROACH

    Active Directory Domain Permissions

    DESCRIPTION

    Review the following domain permissions to make sure you approve all authorized users/groups:

    • Add/Remove Replica in Domain (DS-Install-Replica)
    • Manage Replication Topology (DS-Replication-Manage-Topology)
    • Replication Synchronization (DS-Replication-Synchronize)

    As well as these permissions on the Sites object
    (CN=Sites,CN=Configuration,DC=domain,DC=com):

    • Create all child objects
    • Delete all child objects

    Remove any unnecessary permissions.

    PRODUCT: StealthAUDIT

    Seeing is believing.

    © 2021 Stealthbits Technologies, Inc.