DCShadow

How to detect and mitigate DCShadow attacks

DCShadow enables an attacker (using Mimikatz) to create a fake Active Directory Domain Controller (DC) that can replicate malicious changes to legitimate DCs.

DCShadow attacks are difficult to detect. Because the changes are committed through replication, these changes are not logged to the event log the way other changes would be. The DC is where changes normally originate, but in this case there is no actual DC.

DCShadow attacks are difficult to prevent. The DCShadow attack uses native features of Active Directory (AD), so it is not a vulnerability and cannot be patched.

LEARN MORE ABOUT DCSHADOW

    Request A Free Trial


    DCShadow

    Stealthbits’ products provide a multitude of ways to detect and mitigate the DCShadow attack.

    Detect DCShadow Attack

    Detection of DCShadow is possible by looking for the process of registering any system other than a Domain Controller with the required SPNs to perform the attack.

    APPROACH

    Domain Controller Impersonation

    DESCRIPTION

    Monitor for modification to the SPN values for any computers not in the Domain Controllers Group or OU with values including:

    • Any value starting with GC/
    • The well-known GUID of the DRS service class E3514235–4B06–11D1-AB04–00C04FC2DCD2

    PRODUCT: StealthDEFEND

    DOWNLOAD OUR COMPLETE ATTACK-TO-PRODUCT MAPPING GUIDE

    DOWNLOAD

    Mitigate DCShadow Attack

    The ability to perform the DCShadow attack requires elevated rights within Active Directory, typically those of a Domain Administrator. The best mitigation is to protect and closely monitor your Domain Admins and other privileged groups. However, it is also possible to perform DCShadow using a least privilege model and therefore permissions on Active Directory should be inspected to ensure no unnecessary users have these elevated rights.

    APPROACH

    Active Directory Domain Permissions

    DESCRIPTION

    Review the following domain permissions to make sure you approve all authorized users/groups:

    • Add/Remove Replica in Domain (DS-Install-Replica)
    • Manage Replication Topology (DS-Replication-Manage-Topology)
    • Replication Synchronization (DS-Replication-Synchronize)

    As well as these permissions on the Sites object
    (CN=Sites,CN=Configuration,DC=domain,DC=com):

    • Create all child objects
    • Delete all child objects

    Remove any unnecessary permissions.

    PRODUCT: StealthAUDIT

    Seeing is believing.

    REQUEST A DEMO

    RESOURCES

    StealthAUDIT for Active Directory

    DATA SHEET

    LEARN MORE

    StealthDEFEND for Active Directory

    DATA SHEET

    LEARN MORE

    StealthINTERCEPT Enterprise Password Enforcer

    DATA SHEET

    LEARN MORE

    Free Risk Assessment

    Request a Trial

    Request a Demo

    Browse the Resource Library

    © 2022 Stealthbits Technologies, Inc.

    Privacy Policy