Azure ATP brings you 2 new preview detections on DcShadow attack

%3CLINGO-SUB%20id%3D%22lingo-sub-218502%22%20slang%3D%22en-US%22%3EAzure%20ATP%20brings%20you%202%20new%20preview%20detections%20on%20DcShadow%20attack%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-218502%22%20slang%3D%22en-US%22%3E%3CP%3EA%20domain%20controller%20shadow%20(DCShadow)%20attack%20is%20an%20attack%20designed%20to%20change%20directory%20objects%20using%20malicious%20replication.%20This%20attack%20can%20be%20performed%20from%20any%20machine%20by%20creating%20a%20rogue%20domain%20controller%20using%20a%20replication%20process.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDCShadow%20uses%20RPC%20and%20LDAP%20to%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ERegister%20the%20machine%20account%20as%20a%20domain%20controller%20(using%20domain%20admin%20rights)%2C%20and%3C%2FLI%3E%0A%3CLI%3EPerform%20replication%20(using%20the%20granted%20replication%20rights)%20over%20DRSUAPI%20and%20send%20changes%20to%20directory%20objects.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EAzure%20ATP%20detects%20the%20attack%20by%202%20security%20alerts%3A%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Fatasaguide-DcShadow1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESuspicious%20domain%20controller%20promotion%20(potential%20DCShadow%20attack)%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Fatasaguide-DcShadow2%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESuspicious%20replication%20request%20(potential%20DCShadow%20attack)%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EStay%20tuned.%20Your%20feedback%20is%20welcome.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20738px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F38174i18DEEC0056A9EBA1%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22dcShadow1.png%22%20title%3D%22dcShadow1.png%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20735px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F38173i2EB6598B3F4E99A2%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22dcShadow2.png%22%20title%3D%22dcShadow2.png%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20979px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F38172i030BCF2492E8FD72%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22dcShadow3.png%22%20title%3D%22dcShadow3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Microsoft

A domain controller shadow (DCShadow) attack is an attack designed to change directory objects using malicious replication. This attack can be performed from any machine by creating a rogue domain controller using a replication process.

 

DCShadow uses RPC and LDAP to:

  1. Register the machine account as a domain controller (using domain admin rights), and
  2. Perform replication (using the granted replication rights) over DRSUAPI and send changes to directory objects.

Azure ATP detects the attack by 2 security alerts: 

 

Stay tuned. Your feedback is welcome.

 

dcShadow1.pngdcShadow2.pngdcShadow3.png

0 Replies