In this article:  

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

Objective  

This article explains how to use ADAudit Plus to detect a DCShadow attack, take immediate remediation steps, and implement long-term prevention strategies.

Prerequisites  

• You must have administrator access to the ADAudit Plus web console.

• The audit policy needed to generate Event IDs 5136 (A directory service object was modified) and 5141 (A directory service object was deleted) are DS Access > Audit Directory Service Changes and Audit Directory Service Access the same must be enabled. Reference document for enabling audit policy.

Steps to follow  

Step 1: Detecting the attack  

1. Navigate to the Active Directory tab > Attack Surface Analyzer > Threats > DCShadow.

2. This report shows all detections related to a possible DCShadow attack, where an attacker's machine temporarily registers itself as a rogue domain controller (DC) to inject malicious changes.

Step 2: Understanding the detection criteria  

ADAudit Plus detects a potential DCShadow attack based on a specific sequence of events:

• Description: An attacker mimics a DC to make malicious changes to AD that bypass standard security logging.

• Detection logic:

• Event Code equals 5136 (A directory service object was modified).

• Attribute Value contains GC/ (A change to Global Catalog replication settings).

• Operation Type equals Value Added.

• Followed by, within 60 seconds:

• Event code equals 5141 (A directory service object was deleted).

• Object Class contains nTDSDSA (The object representing a DC in AD).

• Subject Account Name does not end with $.

Step 3: Immediate remediation  

A DCShadow attack indicates a severe compromise by an attacker with high-level privileges. Act immediately:

1. Isolate the source machine: The event log will show which machine the Subject Account Name used to perform the attack. Isolate this machine from the network as soon as possible.

2. Disable the compromised account: The account used for the attack (Subject Account Name) has Domain Admin-equivalent privileges. Disable it immediately for investigation.

3. Investigate the malicious change: This is the most critical step. A DCShadow attack is used to create a change that remains hidden. You must conduct a forensic investigation of AD to find the unauthorized change. Look for recent suspicious activities, such as:

• A user added to the Domain Admins group.

• A servicePrincipalName (SPN) added to a user or computer account to enable Kerberoasting.

• Modification of SID History on an account to escalate privileges.

4. Revert unauthorized changes: Once the malicious change is identified, you must revert it manually.

5. Assume full domain compromise: An attacker capable of a DCShadow attack is deeply embedded. It is safest to assume they have access to all password hashes. Consider initiating a full domain password reset, including resetting the krbtgt account password twice.

Validation and confirmation  

• After remediation, the DCShadow report in ADAudit Plus should no longer show new attacks.

• Conduct a thorough audit of privileged groups and sensitive AD object permissions to confirm that no unauthorized changes remain.

Tips  

The following best practices are critical for preventing DCShadow attacks.

Principle of least privilege (PoLP)  

• Restrict Domain Admin rights: A DCShadow attack requires Domain Admin (or equivalent) privileges. Strictly limit membership in privileged groups like Domain Admins and Enterprise Admins. No standard user or service account should ever be a member of these groups.

Secure privileged accounts  

• Implement a tiered access model: Ensure your most critical assets (Tier 0), like DCs, are only managed by dedicated Tier 0 administrator accounts. These accounts must never be used to log into lower-tier systems like workstations.

• Use just-in-time (JIT) access: Implement JIT access to privileged accounts, eliminating standing privileges and reducing the attack surface.

Monitoring and detection  

• Monitor for nTDSDSA object creation: Legitimate creation of nTDSDSA objects only occurs during a DC promotion. Alert on any creation of these objects outside of a planned DC promotion.

• Monitor the configuration partition: DCShadow attacks manipulate objects within the configuration partition of AD. Monitor for unusual changes in this partition.

• Monitor privileged group membership: Continuously monitor for and alert on any changes to groups like Domain Admins, Enterprise Admins, and Schema Admins.

Related topics and articles  

• [To be added]