In-Brief: DC-Shadow, a new attack against Windows Active Directory

At the BlueHat-Israel conference organized by Microsoft in late January, Benjamin Delpy and Vincent Le Toux presented a new feature brought to the Mimikatz tool: DCShadow.

DCshadow is a clever attack, which allows an attacker who has already gained admin privileges on an Active Directory, to create a fake DC (Domain Controler) on any company workstation.  This fake DC inserts itself into the replication mechanism between DC and can then inject arbitrary data (for example, to recreate an admin account). One of DCshadow's major interests is that it leaves almost no trace as the attack passes through the Active Directory's replication streams.

DCShadow brings a new challenge to Active Directory security monitoring, in the way it is now mandatory to be able to detect any rogue DC such as DCshadow, as soon as it appears within the company.

For more information:

• A 5 minutes explanation for DC-Shadow (starts at 33rd minute), in French:
  https://www.comptoirsecu.fr/sechebdo/sechebdo-30-janvier-2018/
  (English article: https://blog.alsid.eu/dcshadow-explained-4510f52fc19d )

   

• Another French podcast by DC-Shadow authors (45 minutes):
  https://www.nolimitsecu.fr/dcshadow/
  
   
• Official DCShadow website
  https://www.dcshadow.com/