Penetration Testing Lab

Articles from the Pentesting Field

Home Pentesting Distros Resources Submissions Toolkit Contact the Lab

April 16, DCShadow Search the Lab

2018
netbiosX Red Team Active Directory, DCShadow, Mimikatz Leave a comme Search...

The DCShadow is an attack which tries to modify existing data in the Active Directory by
using legitimate API’s which are used by domain controllers. This technique can be used
Author
in a workstation as a post-domain compromise tactic for establishing domain persistence
bypassing most SIEM solutions. Originally it has been introduced by Benjamin Delpy and
Vincent Le Toux and is part of the Mitre Attack Framework. More details about the attack,
including the presentation talk can be found in the DCShadow page. netbiosX

The [Link] file which is part of Mimikatz needs to be transferred to the workstation
that will play the role of DC. Executing the command “!+” will register and a start a service Follow PenTest Lab
with SYSTEM level privileges. The “!processtoken” will obtain the SYSTEM token from
the service to the current session of Mimikatz in order to have the appropriate privileges to Enter your email address to follow this blog and
implement the fake Domain Controller. receive notifications of new posts by email.

1 !+ Join 1,663 other followers

2 !processtoken
Enter your email address

Follow

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Recent Posts
Situational Awareness
Lateral Movement – WinRM
AppLocker Bypass – CMSTP
PDF – NTLM Hashes
NBNS Spoofing

Categories
Coding (10)
Mimikatz – Register a Service and obtain SYSTEM token Defense Evasion (20)
Exploitation Techniques (19)
A new instance of Mimikatz needs to be started with Domain Administrator privileges that External Submissions (3)
would be used to authenticate with legitimate domain controller and push the changes
General Lab Notes (21)
from the rogue DA to the legitimate. The following command will verify the process token.
Information Gathering (12)
1 token::whoami Infrastructure (2)
Maintaining Access (4)
Mobile Pentesting (7)
Network Mapping (1)
Post Exploitation (12)
Privilege Escalation (14)
Red Team (25)
Social Engineering (11)
Tools (7)
VoIP (4)
Web Application (14)
Wireless (2)

Mimikatz – User Token Archives

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Executing the following command from the Mimikatz instance that is running with SYSTEM May 2018
privileges will start a minimalistic version of a Domain Controller. April 2018

1 lsadump::dcshadow /object:test /attribute:url /value:pentestla January 2018

December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
November 2016
September 2016
February 2015
Mimikatz – DCShadow & URL Attribute January 2015
July 2014
The following command will replicate the changes from the rogue domain controller to the April 2014
legitimate.
June 2013
1 lsadump::dcshadow /push May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 August 2012
July 2012
June 2012
April 2012
March 2012
February 2012

@ Twitter
@jaysonstreet @hackinparis @winnschwartau
@mjmasucci @gscarp12 I will be there for another
year! Looking forward to catch up! 2 hours ago
RT @notsosecure: New blog by the #NotSoSecure
team: Data Ex filtration via formula injection
[Link]/data-exfiltrat… 3 hours ago
GyoiThon - A growing penetration test tool using
DCShadow – Replicate attributes in the Domain Controller Machine Learning [Link]/gyoisamurai/Gy…
9 hours ago
Checking the properties of the “test” user will verify that the url attribute has modified to @L_AGalloway Safe travel! 20 hours ago
include the new value indicating that the DCShadow attack was successful. @Carlos_Perez I agree, red team engagements
should assess host based security controls. The
client will benefit and…
[Link]/i/web/status/1… 1 day ago

Follow @netbiosX

Pen Test Lab Stats

3,007,881 hits

Blogroll

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Packetstorm Exploits,Advisories,Tools,Whitepapers
0
Metasploit Latest news about Metasploit Framework
and tutorials 0
0x191unauthorized Tutorials 0
The home of WeBaCoo Information about the
WeBaCoo and other tutorials 0
Command Line Kung Fu Command Line Tips and
Tricks 0

Exploit Databases
Exploit Database Exploits,PoC,Shellcodes,Papers
0
Metasploit Database Exploit & Auxiliary Modules 0
Inj3ct0r Database Remote,Local,Web
DCShadow – url Attribute Apps,Shellcode,PoC 0

It is also possible to modify the value of the attribute primaryGroupID in order to perform
privilege escalation. The value 512 is the Security Identifier (SID) for the Domain Pentest Blogs
Administrators group.
Carnal0wnage Ethical Hacking Tutorials 0
1 lsadump::dcshadow /object:test /attribute:primaryGroupID /val Coresec Pentest tutorials,Code,Tools 0
Notsosecure From Pentesters To Pentesters 0
Pentestmonkey Cheatsheets,Tools and SQL
Injection 0
Pentester Web Application Testing,Tips,Testing
Tools 0
Packetstorm Exploit Files 0
room362 Blatherings of a Security Addict 0
darkoperator Shell is only the Beginning 0
Irongeek Hacking Videos,Infosec Articles,Scripts 0

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Professional
The Official Social Engineering Portal Information
about the Social Engineering Framework,Podcasts
and Resources 0

Next Conference

Security B-Sides London

April 29th, 2014

The big day is here.

DCShadow – Add User to Domain Admin Group Facebook Page

The user “test” will be part of the Domain Administrator group. This can verified by
retrieving the list of domain administrators. The screenshot below illustrates the domain
Penetrati…
9.9K likes
administrators before and after the DCShadow attack.

1 net group "domain admins" /domain

Like Page

Be the first of your friends to

like this

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Advertisements

DCShadow – Verification that test user is DA

Conclusion
The DCShadow attack offers various possibilities to the red teamer to achieve domain
persistence by manipulating the SID History, the password of the krbtgt account or by
adding users to elevated groups such as Domain and Enterprise Admins. Even though
that this attack requires elevated privileges (DA), Nikhil Mittal discovered that it is possible
DCShadow to be conducted from the perspective of a domain user that has the required
permissions to avoid the use of DA privileges. This script is part of the Nishang framework
and can be found here. Usage of legitimate API’s to communicate and push data to the
active directory is a stealth method to modify the active directory without triggering alerts
on the SIEM.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Advertisements

Older posts

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Blog at [Link].

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD