T1207 Rogue Domain Controller
Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. 1 Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.
Registering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. 2
This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). 1 The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform SID-History Injection and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. 1
| Item | Value |
|---|---|
| ID | T1207 |
| Sub-techniques | |
| Tactics | TA0005 |
| Platforms | Windows |
| Permissions required | Administrator |
| Version | 2.1 |
| Created | 18 April 2018 |
| Last Modified | 08 March 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0002 | Mimikatz | Mimikatz’s LSADUMP::DCShadow module can be used to make AD updates by temporarily setting a computer to be a DC.62 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0026 | Active Directory | Active Directory Object Creation |
| DS0029 | Network Traffic | Network Traffic Content |
| DS0002 | User Account | User Account Authentication |
References
-
Delpy, B. & LE TOUX, V. (n.d.). DCShadow. Retrieved March 20, 2018. ↩↩↩
-
Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015. ↩↩
-
Spencer S. (2018, February 22). DCSYNCMonitor. Retrieved March 30, 2018. ↩
-
Microsoft. (n.d.). Polling for Changes Using the DirSync Control. Retrieved March 30, 2018. ↩
-
Lucand,G. (2018, February 18). Detect DCShadow, impossible?. Retrieved March 30, 2018. ↩