Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
DCShadow is a well-known, advanced, and effective technique for manipulating Active Directory (AD) data. An attacker with administrator privileges and access to a domain controller (DC) can leverage attack tools to blend in with normal AD activity and traffic. DCShadow activity can indicate that an attacker has an established presence on the network and has escalated their privileges to administrative domain levels.
The system might change the risk score for this detection.
Kill Chain
Risk Score
88
Domain controllers (DCs) can provide an attacker with critical information about your network. DCShadow is an attack technique that is included in attack tools such as Mimikatz. This technique enables an attacker to impersonate a DC and manipulate data in an AD database that is stored on a DC. First, the attacker infiltrates the network and acquires domain administrator privileges. The attacker runs an attack tool to perform the DCShadow technique. This technique modifies the service principal name (SPN) of a compromised device to impersonate a DC and sends Microsoft remote procedure call (MS-RPC) requests that modify AD data. For example, these MS-RPC requests might change the password or group membership of an attacker-controlled account. The attacker runs the attack tool again to cover their tracks and delete the SPN of the fake DC. After modified AD data is replicated to other legitimate DCs across the network, the attacker can gain full access to any network device from an attacker-controlled account.
Strictly manage the users and groups who have domain admin permissions and can replicate information from a DC
Implement strict login controls on devices with highly-privileged users to reduce the exposure of credentials stored in memory
Strengthen the security on Windows devices by enforcing strong authentication policies and creating a list of approved applications
