What is DCShadow?

DCShadow empowers attackers (with admin rights) to spin up a fake Domain Controller (DC) that can quickly distribute changes to legitimate DCs using normal replication mechanisms. 

Privileged users create a temporary DC object in the configuration naming context and keep it there just long enough (under 30 seconds) to push AD changes into an existing read-write DC. From there, replication is triggered by the legitimate “trusted” DC.

Now, because these changes originated on the fake DC, security event logs have no record of what took place – SIEMs are blind to the impending assault. Ultimately, the attacker’s movements go unchecked, leaving behind a persistent threat.

The DCShadow Attack

A 14-year Cloud and Datacenter Microsoft MVP, Darren has a wealth of experience in Identity and Access Management and was the CTO and founder of SDM software, a provider of Microsoft systems management solutions.

PRESENTED BY

Darren Mar-Elia

@GroupPolicyGuy

The DCShadow attack methodology exploits a switch in the Mimikatz utility that enables privileged users to inject malicious changes into Active Directory (AD) without detection. DCShadow takes advantage of native AD replication to avoid sending events to the AD security logs. Watch this video presentation to learn how to defend against this emerging threat.

All Rights Reserved. Semperis Inc. © 2019

What is DCShadow?

The DCShadow attack methodology exploits a switch in the Mimikatz utility that enables privileged users to inject malicious changes into Active Directory (AD) without detection. DCShadow takes advantage of native AD replication to avoid sending events to the AD security logs. Watch this video presentation to learn how to defend against this emerging threat.

The DCShadow Attack

DCShadow empowers attackers (with admin rights) to spin up a fake Domain Controller (DC) that can quickly distribute changes to legitimate DCs using normal replication mechanisms. 

Privileged users create a temporary DC object in the configuration naming context and keep it there just long enough (under 30 seconds) to push AD changes into an existing read-write DC. From there, replication is triggered by the legitimate “trusted” DC.

Now, because these changes originated on the fake DC, security event logs have no record of what took place – SIEMs are blind to the impending assault. Ultimately, the attacker’s movements go unchecked, leaving behind a persistent threat.

A 14-year Cloud and Datacenter Microsoft MVP, Darren has a wealth of experience in Identity and Access Management and was the CTO and founder of SDM software, a provider of Microsoft systems management solutions.

PRESENTED BY

Darren Mar-Elia

@GroupPolicyGuy

REQUEST A DEMO

Experience Directory Services Protector (DSP) in action

Receive a personalized demonstration today.

Experience Directory Service Protector (DSP) in action

Receive a personalized demonstration today.

REQUEST A DEMO

Experience Semperis DSP in action. Receive a personalized briefing today.

Defending Against the DCShadow Attack

with Directory Services Protector (DSP) 

Defending Against the DCShadow Attack

with Directory Services Protector (DSP) 

REQUEST A DEMO