Azure ATP brings you 2 new preview detections on DcShadow attack

Microsoft

A domain controller shadow (DCShadow) attack is an attack designed to change directory objects using malicious replication. This attack can be performed from any machine by creating a rogue domain controller using a replication process.

 

DCShadow uses RPC and LDAP to:

  1. Register the machine account as a domain controller (using domain admin rights), and
  2. Perform replication (using the granted replication rights) over DRSUAPI and send changes to directory objects.

Azure ATP detects the attack by 2 security alerts: 

 

Stay tuned. Your feedback is welcome.

 

dcShadow1.pngdcShadow2.pngdcShadow3.png

0 Replies