DCShadow enables an attacker (using Mimikatz) to create a fake Active Directory Domain Controller (DC) that can replicate malicious changes to legitimate DCs.
DCShadow attacks are difficult to detect. Because the changes are committed through replication, these changes are not logged to the event log the way other changes would be. The DC is where changes normally originate, but in this case there is no actual DC.
DCShadow attacks are difficult to prevent. The DCShadow attack uses native features of Active Directory (AD), so it is not a vulnerability and cannot be patched.
Stealthbits’ products provide a multitude of ways to detect and mitigate the DCShadow attack.
Detect DCShadow Attack
Detection of DCShadow is possible by looking for the process of registering any system other than a Domain Controller with the required SPNs to perform the attack.
APPROACH
Domain Controller Impersonation
DESCRIPTION
Monitor for modification to the SPN values for any computers not in the Domain Controllers Group or OU with values including:
Any value starting with GC/
The well-known GUID of the DRS service class E3514235–4B06–11D1-AB04–00C04FC2DCD2
The ability to perform the DCShadow attack requires elevated rights within Active Directory, typically those of a Domain Administrator. The best mitigation is to protect and closely monitor your Domain Admins and other privileged groups. However, it is also possible to perform DCShadow using a least privilege model and therefore permissions on Active Directory should be inspected to ensure no unnecessary users have these elevated rights.
APPROACH
Active Directory Domain Permissions
DESCRIPTION
Review the following domain permissions to make sure you approve all authorized users/groups: