How to Defend Against DCShadow

DCShadow Attack Demonstration

ON-DEMAND

We protect your personal information in accordance with our privacy policy.

Learn how to detect rogue DCs, quickly roll back unwanted changes, and enrich event logs with unparalleled visibility.

DCShadow empowers attackers (with admin rights) to spin up a fake Domain Controller (DC) that can quickly distribute changes to legitimate DCs using normal replication mechanisms. 

Privileged users create a temporary DC object in the configuration naming context and keep it there just long enough (under 30 seconds) to push AD changes into an existing read-write DC. From there, replication is triggered by the legitimate “trusted” DC.

Now, because these changes originated on the fake DC, security event logs have no record of what took place – SIEMs are blind to the impending assault. Ultimately, the attacker’s movements go unchecked, leaving behind a persistent threat.

The DCShadow Attack

A 14-year Cloud and Datacenter Microsoft MVP, Darren has a wealth of experience in Identity and Access Management and was the CTO and founder of SDM software, a provider of Microsoft systems management solutions.

PRESENTED BY

Darren Mar-Elia

@GroupPolicyGuy

The DCShadow attack exploits a switch in the Mimikatz utility that enables privileged users to inject malicious changes into Active Directory (AD) without detection. DCShadow takes advantage of native AD replication to avoid sending events to the AD security logs. Watch this video presentation to learn how to defend against this emerging threat.

All Rights Reserved. Semperis Inc. © 2019

The DCShadow attack exploits a switch in the Mimikatz utility that enables privileged users to inject malicious changes into Active Directory (AD) without detection. DCShadow takes advantage of native AD replication to avoid sending events to the AD security logs. Watch this video presentation to learn how to defend against this emerging threat.

GO TO VIDEO

The DCShadow Attack

DCShadow empowers attackers (with admin rights) to spin up a fake Domain Controller (DC) that can quickly distribute changes to legitimate DCs using normal replication mechanisms. 

Privileged users create a temporary DC object in the configuration naming context and keep it there just long enough (under 30 seconds) to push AD changes into an existing read-write DC. From there, replication is triggered by the legitimate “trusted” DC.

Now, because these changes originated on the fake DC, security event logs have no record of what took place – SIEMs are blind to the impending assault. Ultimately, the attacker’s movements go unchecked, leaving behind a persistent threat.

A 14-year Cloud and Datacenter Microsoft MVP, Darren has a wealth of experience in Identity and Access Management and was the CTO and founder of SDM software, a provider of Microsoft systems management solutions.

PRESENTED BY

Darren Mar-Elia

@GroupPolicyGuy

How to Defend Against DCShadow